I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Session Notes For the session video, please see the following link: https://developer.apple.com/wwdc22/10045

Gostaria de propor a criação de um Modo de Bateria Crítica Inteligente para impedir desligamentos abruptos quando o iPhone atinge 1% de bateria. O objetivo principal é evitar perda de dados, especialmente em tarefas importantes ou documentos não salvos. ✔️ Funcionamento sugerido: • Quando o iPhone atinge 1% de bateria, o sistema ativa automaticamente um modo de energia ultrarreduzida, mantendo o aparelho ligado por alguns segundos ou minutos extras. • Esse modo poderia: • suspender animações; • reduzir brilho ao mínimo; • pausar atualizações em segundo plano; • congelar aplicativos não essenciais; • priorizar salvamento automático de arquivos, notas, gravações e mensagens. ✔️ Benefícios: 1. Evita a sensação de desligamento inesperado. 2. Reduz o risco de perda de dados importantes. 3. Melhora a segurança e experiência do usuário. 4. Prolonga a vida útil da bateria, reduzindo ciclos críticos. ✔️ Considerações: O objetivo não é estender artificialmente a autonomia, mas sim criar uma janela de proteção que permita ao sistema salvar dados e fazer desligamento programado, evitando danos e frustração.

Hi everyone, I submitted this feature request through Apple’s Feedback Assistant and wanted to share it here, because many families run into the same issue and Apple prioritizes features based on the number of reports they receive. Current limitation: Screen Time only allows one single Downtime period per day for child accounts. For families with separate school hours and bedtime, this is very impractical. My real-world use case: • Downtime 1: 08:00–13:00 (school) • Downtime 2: 20:00–06:00 (bedtime) Both serve completely different purposes, but are not possible to combine with the current system. My suggestions to Apple: Support multiple Downtime periods per day for child accounts. Allow custom exceptions per Downtime block (e.g., allow Phone app). Provide more flexibility overall for families using Screen Time. If you would benefit from this too, it would be great if you could submit the same request via the Feedback app – the more reports Apple receives, the higher the chance for implementation. My Feedback ID: FB21265678 Thank you! 🙏 Hallo zusammen, ich habe über die Feedback-App einen Vorschlag an Apple eingereicht und wollte ihn hier teilen, weil viele Familien dasselbe Problem haben und Apple mehr Rückmeldungen braucht, um das Thema zu priorisieren. Aktuelles Problem: In Bildschirmzeit kann für Kinder aktuell nur eine einzige Auszeit pro Tag eingerichtet werden. Für Familien mit getrennten Schul- und Schlafenszeiten ist das extrem unpraktisch. Mein Anwendungsfall: • Auszeit 1: 08:00–13:00 (Schule) • Auszeit 2: 20:00–06:00 (Schlafenszeit) Beides erfüllt unterschiedliche Zwecke, ist aber nicht kombinierbar. Mein Vorschlag an Apple: Mehrere Auszeiten pro Tag für Kinderaccounts. Pro Auszeit eigene Ausnahmen festlegen (z. B. Telefon erlauben). Allgemein mehr Flexibilität im Screen-Time-System für Familien. Wenn ihr das ebenfalls hilfreich findet, wäre es super, wenn ihr es auch über die Feedback-App meldet – je mehr, desto besser. Feedback-ID meines Vorschlags: FB21265678 Danke euch! 🙏

Hello, I am writing a NetworkExtension VPN using custom protocol and our client would like to able to use 5G network slice on the VPN, is this possible at all? From Apple's documentation, I found the following statement: If both network slicing and VPN are configured for an app or device, the VPN connection takes precedence over the network slice, rendering the network slice unused. Is it possible to assign a network slice on a NetworkExtension-based VPN and let the VPN traffic uses the assign network slice? Many thanks

For additional security we would like to avoid keeping generated certificates (their private keys) on our server after installing them on a device, but still be able to reference them in later installed configuration profiles via MDM. However, it seems that for a configuration profile's payload to use a certificate (e.g. VPN payload), the certificate payload must be present in the same profile. Are we missing anything, perhaps it's already possible somehow? Ideal workflow for us would be: our MDM server generates a certificate (private+public keys) for a given device our MDM server sends this certificate to the device as configuration profile and saves PayloadUUID of the certificate's payload our MDM server deletes the generated private key from its storage. At this point the private key is present only on the device. at some point in the future our MDM server sends a configuration profile that references the certificate from step 2 via the saved PayloadUUID (e.g. using key PayloadCertificateUUID in a VPN payload) Current result: device responds to MDM server with error "The profile “VPN” could not be installed. Certificates needed for the VPN service “VPN” are invalid." Desired result: device is able to find the previously installed certificate via its PayloadUUID. Alternatively, it could be certificate fingerprint or something similar. One more alternative could be to replace steps 1-3 by an app on the device that obtains a certificate (in any way), installs it to device as a configuration profile, passes the certificate's PayloadUUID to our MDM server and then doing step 4.

I recently reviewed the device management restrictions page of the developer docs (https://developer.apple.com/documentation/devicemanagement/restrictions) and noticed that several items are now marked "In a future release, this restriction will begin requiring supervision." Some of these changes are likely to have a dramatic impact on our app and business! So my question is threefold: a) where can I find out or request more information about the planned changes (e.g. timeline would be especially helpful)? b) why are these changes being implemented at all? c) to whom / where can I protest these changes (aside from this forum and feedback assistant)?

Hi Everybody! I would like to develop an iOS app with MDM features and distribute it on App Store. The problem I got stuck with is how to QA-test the MDM features of such an app. The app is not yet on App Store, it's under development. I can upload builds to App Store Connect, invite testers, they can test the app using TestFlight, all fine. But features that require an MDM configuration don't work since the app is not deployed via an MDM solution. It cannot be deployed via MDM since it's not an enterprise app and it's not on App Store yet. There are ways to work around this only for dev-testing (like a hardcoded configuration) but I need to give this to QA engineers. AI answers suggest that Custom Apps in ASM/ABM might be the way out of this. Apple docs say I need to have the app reviewed by Apple first, only then can I assign it to organizations. But again, I need this for internal testing the app before releasing it. And before having to submit the build to Apple for approval. I am quite sure it's possible to do this, there are apps on App Store with such features (Jamf Self Service), and other platforms provide a way (private store on Android) for internal testing, but I haven't been able to find the Apple solution yet. Any help would be appreciated. Best regards, Balazs

We are implementing the Return to Service (RTS) with App Preservation flow. During testing, we were able to successfully fetch the Bootstrap Token as part of the ADE enrollment process. However, when attempting to initiate the Return to Service command with App Preservation enabled, the following error was returned: [ { "ErrorCode": 12089, "ErrorDomain": "MDMErrorDomain", "LocalizedDescription": "Could not erase device.", "USEnglishDescription": "Could not erase device." }, { "ErrorCode": 66002, "ErrorDomain": "MDMBootstrapTokenErrorDomain", "LocalizedDescription": "Failed to generate LAContext for bootstrap token", "USEnglishDescription": "Failed to generate LAContext for bootstrap token" } ] Below is the sample request (with dummy data). The actual request contained valid values in all fields: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>RequestType</key> <string>EraseDevice</string> <key>ReturnToService</key> <dict> <key>Enabled</key> <true /> <key>WiFiProfileData</key> <data>WiFiProfileData</data> <key>BootstrapToken</key> <data>BootstrapTokenValue</data> <key>MDMProfileData</key> <data>MDM Profile Data</data> </dict> </dict> <key>CommandUUID</key> <string>3670</string> </dict> </plist>

I'm are attempting to use the device management migration feature in Apple Business Manager / Apple School Manager (for devices running iOS 26 / iPadOS 26) to re-assign managed devices from one MDM server to another. We followed the published procedure (select device(s) → Assign Device Management → Set deadline → Continue). However, we are observing that on the device side, no notification or prompt appears to the user (such as “Enrollment Required” or “Your organization requires this device to enroll in a different device management service”), even after the migration deadline has passed. Here are the environment details: Device OS version: (iOS 26.1) Device ownership: enrolled via Automated Device Enrollment MDM re-assignment in ABM: old MDM server（name: https://dev5.clomo.com/panel/mackey-dev/ ） → new MDM server (name: https://obliging-bunny-equally.ngrok-free.app/ ) Deadline set: (12/10/2025 12:00 AM) Network connectivity: confirmed online at deadline time We would like to know: Under what exact conditions will the device display the notification/prompt, and what common mis-configurations prevent it from appearing? Is there any device log or activity indicator in ABM/ASM to confirm that the migration instruction has been sent to the device? In cases where the prompt does not appear, what troubleshooting steps can we perform on the device (or in the MDM/ABM configuration) to correct it?

We are managing VPP license switching operations using Apple's VPP Manage Licenses API. License information is managed by matching the “clientUserIdStr” data with the VPP account ID information managed on the server side. We received an inquiry stating that a VPP license did not activate despite the activation process being performed. Upon checking the API results, the update API returned a success status during execution. However, the “clientUserIdStr” information was missing from the license information field in the response of the information retrieval API. We kindly request your guidance on the reason why the “clientUserIdStr” information is missing when retrieving license information, and the steps to ensure this information is reliably returned. VPPAccoountId:0123456789abcdef0123456789abcdef adamIdStr:521974902 *Some details have been altered from the actual data to protect personal information.

Hi, I found In-App purchase feature is restricted even with User-based VPP. I understand Device-based VPP does not accept In-App purchase, however User-based VPP accept In-App purchase. (It works on iOS 15 device actually.) When I tried subscribe ChatGPT on iOS 26 device using User-based VPP, an error dialog is shown that explains In-App purchase is not allowed. sysdiagnose shows logs belog: 情報 2025-10-26 23:58:22.350841 -0700 storekitd [Client] (ChatGPT) Initializing client デフォルト 2025-10-26 23:58:22.353982 -0700 storekitd [Client] (ChatGPT) Initialized with server Production bundle ID com.openai.chat and request bundle ID com.openai.chat] デフォルト 2025-10-26 23:58:22.354020 -0700 storekitd [CanMakePayments] In-app purchase disabled because app com.openai.chat has MID based SINF In iOS 15 device, no storekitd logs are found and appstored and several processes seem to handle In-App purchase. Does In-App purchase no longer work with User-based VPP? Thank you.

When using the SoftwareUpdateEnforcementSpecific to target an update to iPad OS 18.7.1, will the update be triggered to be downloaded immediately after the iPad has an active Internet connectivity? Or, if the SoftwareUpdateSettingsAutomaticActionsObject download string is set to AlwaysOff, will this mean that the update enforced will not start downloading automatically, but only when the user decides? I am trying to understand how these two can be combined together or if they work independently, as while trying to enforce a specific version, we need to eliminate the possibility to download an iPad OS version using cellular data, as our devices have an eSIM installed and the cost of using that for the iOS updates will be quite high. Maybe there is a setting to only allow the iOS updates to be downloaded via Wi-Fi. Thanks!

Hi all, I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information. Are any of you able to get that somehow? Thanks!

There is a longstanding restriction payload for supervised iOS devices that disables "Erase All Content and Settings." We have been experimenting with supervised watches paired with supervised phones that have that payload applied, and yet "Erase All Content and Settings" remains available on the watch. Is this: – a) An error with our payload? Should we be sending something else? – b) A bug in watchOS supervision? – c) A deliberate design choice? If so, what is the rationale for preventing organizations from maintaining this very basic level of control over devices they may be configuring and dispatching into the field?

There could be a case where-in multiple transparent proxies might exist in the system (for ex., Cisco AnyConnect, GlobalProtect, etc). We want to know if there is a way to order transparent proxies so that the desired transparent proxy gets the request first. During our research, we found a resource which talks about ordering transparent proxies through MDM. https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy Using this reference, we tried to create a profile and push it through JAMF. Below is the profile that we created and pushed with JAMF. Property List - &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;TransparentProxy&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;ProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.paloaltonetworks.GlobalProtect.client.extension&lt;/string&gt; &lt;key&gt;Order&lt;/key&gt; &lt;string&gt;1&lt;/string&gt; &lt;/dict&gt; &lt;dict&gt; &lt;key&gt;ProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.cisco.anyconnect.macos.acsockext&lt;/string&gt; &lt;key&gt;Order&lt;/key&gt; &lt;string&gt;2&lt;/string&gt; &lt;/dict&gt; &lt;dict&gt; &lt;key&gt;ProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.mydomain.transparentproxy&lt;/string&gt; &lt;key&gt;Order&lt;/key&gt; &lt;string&gt;3&lt;/string&gt; &lt;/dict&gt; &lt;/array&gt; We are not sure if this is the right way to create the profile, though JAMF is not throwing any error while pushing this profile. We see this profile on the local machine as "/Library/Managed Preferences/com.apple.networking.vpn-transparent-list.plist". Is there a way to know if the profile took effect and the order of transparent proxies has changed. Thanks in advance.

Target Device: iPhone 13, iOS 18.5, enroll to MDM by enrollment profile Command: Response: Anyone could help?

Hello Apple Developer Community, We’re building an MDM product (SaaS, multi-tenant). I’d like clarification on the APNs MDM push certificate usage model for service providers (MSPs). Question: Is it acceptable for an MDM vendor to use a single APNs MDM push certificate owned by the vendor to manage devices for multiple, independent customer organizations? Or is it required/recommended that each customer (company) must obtain and use its own APNs MDM push certificate (issued under the customer’s Apple ID) for their tenant? Why we’re asking: We understand that many guides show the process where each customer logs into the Apple Push Certificates Portal with their own Apple ID, uploads a CSR provided by the MDM, and then renews yearly. Practically, for a small team and early-stage deployments, using one vendor-owned certificate across multiple tenants would be simpler. We want to ensure we’re not violating any policy, terms, or technical requirements (e.g., certificate ownership, topic binding, device token isolation, audit/compliance expectations). What we need from Apple (or authoritative sources): An official Apple document or policy that clearly states whether per-customer certificates are mandatory vs strongly recommended for MSP/multi-tenant MDMs. If per-customer is mandatory, please point to the relevant clause or section. If a vendor uses a single certificate for multiple organizations, what risks or consequences should we expect (e.g., compliance issues, supportability, potential program violations, off-boarding problems, etc.)? Context: We’re sending only MDM wake notifications (standard MDM flow). We understand certificates expire yearly and must be renewed with the same Apple ID to avoid device re-enrollment. We want to follow Apple’s best practices while keeping early operations manageable. Any guidance, links to official documentation, or clarification from Apple engineers/moderators would be greatly appreciated. Thank you!

We have an application which is written in Swift, which activates Transparent Proxy network extension. Our Transparent Proxy module is a system extension, which is exposing an app proxy provider interface (We are using NETransparentProxyProvider class and in extension’s Info.plist we use com.apple.networkextension.app-proxy key.) We are using JAMF MDM profile for installing our transparent proxy in customer environment. We are using VPN payload(https://developer.apple.com/documentation/devicemanagement/vpn) for this network system extension. This payload does not have any field for order. As per https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy-data.dictionary documentation there is another payload for TransparentProxy and we could create a Transparent Proxy profile using iMazingProfile Editor. Noticed that, if we add the Order attribute to the VPN/TransparentProxy payload, while installing the extension, the save to preferences fails with "Error in saving TP configuration in updateOnDemandRule permission denied" error. Can we use this Order field to ordering the installed Transparent Proxy extension in a machine? Customer devices will likely have other Transparent Proxy network extensions as well. We want to allow the Customer to control the order in which each Transparent Proxy network extension receives the network traffic. How can we set the order of the Transparent proxy extension that can be deployed using MDM profile with VPN/TransparentProxy payload? Attached the TransparentProxy payload profile for the reference. DGWebProxy_TransparentProxy_iMazing

I work at a school in NYC and have a software idea that could better support the new NYC phone ban law than current market options (i.e. Yondr pouches). Right now at my school, students and staff scan a QR code upon entering the building to indicate that they are in the building. They scan again on the way out to indicate they've left the building. This is super helpful for attendance, particularly in emergency situations (fire drills, etc). Imagine if when students scanned their QR code, it also activated an app similar to Opal or ScreenZen, but with an admin preset whitelisted apps. The idea is that this app would default deny access to all apps on students' phones except the admin preset whitelisted ones such as Phone, Calculator, etc. Depending on the age/needs of the student, other apps like Spotify, or medical apps could also be whitelisted. My question is -- is this idea possible to create? We would need admin preset controls to create the preset whitelist. We can't have students picking their own restrictions, as we know most would opt to not restrict at all. We would need an admin dashboard so teachers/admin can see which students have activated the app in the building, and which may be trying to sneakily avoid it. We would ideally need to be able to whitelist both system apps like Phone and Calculator, as well as non-system apps such as Spotify (and medical apps -- we have some students who manage/monitor their Diabetes with an app). I don't have a background in software. I'm a math and health teacher. I've experimented with trying to have friends who majored in CS to create this app for me, but they've all either struggled/lost interest. So I'm also looking for a business partner in this venture. If anyone has any guidance here, it would be so helpful! My boss (Head of School) is super interested in this idea and significantly prefers it to every other alternative that he has encountered. The problem is this idea does not exist yet! Note: I know this is a super similar idea to the app and product "Brick". Notably, though, Brick does not have the ability for admin preset controls, or the admin dashboard. We reached out to the company to see if they're create this for us and they said it's a back burner idea that they're aware of, but it's not a priority for them right now. Thank you for any guidance!

Hi there, We’re testing Declarative Device Management (DDM) for VPP app management and followed the latest declaration template here: https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/app.managed.yaml Our goal is to enable VPP auto-updates via the declaration. The payload we’re using looks like this: "AppStoreID": "1231325957", "InstallBehavior": "{\"Install\": \"Required\", \"License\": {\"Assignment\": \"Device\"}}", "UpdateBehavior": "{\"AutomaticAppUpdates\": \"AlwaysOn\"}" } What we’re seeing Device A (no Apple ID signed into App Store): User can manually update the VPP app with the above declaration in place. ( The same user cannot update the app if UpdateBehavior is not in the declaration payload. Device B (Apple ID signed into App Store, and the same Apple ID doesn't have the above app purchased): User cannot manually update the same VPP app. The App Store shows the error seen when UpdateBehavior is absent: “ cannot be updated because it was refunded or purchased with a different Apple Account.” Also, in this case, the user has no way to purchase the (free) app by their own as the app shows as owned/managed by MDM server. We have to remove the declaration, let the user purchase the same app, then re-deploy the declaration to allow the user to click that "Update" button when a new version for that app is available. Additionally, we’re unsure about the criteria/timing for automatic VPP app updates under DDM. After a new version became available, we waited several hours but the app did not auto-update. Repro summary App: VPP, device-assigned license Declaration: AutomaticAppUpdates = AlwaysOn, install required Device A: not signed into App Store → manual update allowed Device B: signed into App Store → manual update blocked with “refunded/different account” error Auto-update did not occur after waiting several hours post-release Any guidance, confirmation of expected behavior, or tips on additional logging we should collect (e.g., specific App Store / MDM / DDM logs and subsystems) would be greatly appreciated. If this is a known issue or requires a Feedback Assistant report, we’re happy to file one. Thanks,