I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Session Notes For the session video, please see the following link: https://developer.apple.com/wwdc22/10045

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

Problem Description: We are associating 1000 devices to 25 apps using Associate Assets API - https://vpp.itunes.apple.com/mdm/v2/assets/associate We find the association completion state by two ways. Method 1: Using Event Status API - https://vpp.itunes.apple.com/mdm/v2/status We test the success state of event by continuously polling event status API - until it provides COMPLETE/FAILURE in eventStatus. For the above association, the time taken for event Status to give COMPLETE/FAILURE status for the above API is 30 seconds. Improvement Needed: A new type of notification type can be introduced so that on association event completion, the notification request could return the event status response to MDM server without the need to poll the Event Status API from MDM. Method 2: By Subscribing ASSET_MANAGEMENT notification On subscribing ASSET_MANAGEMENT notification in clientConfig API - https://vpp.itunes.apple.com/mdm/v2/client/config, the asset management notification request is enabled. "notificationTypes": [ "ASSET_MANAGEMENT" ] On performing the association, each notification request reaches the MDM server with response in batch of 100 devices per 1 app. Hence, more than 250 notifications requests(including duplicate requests) reaches the MDM server. This takes around 5 mins to complete provide the association results Improvement Needed: The 100 devices status per 1 app for one notification request could be increased to make lesser notification requests and hence improving the time to receive the association response. Hence, currently the Method 1 - using Event Status API provides the association completion response sooner than the Method 2 (Notifications). So, providing a notification type to subscribe for event Status could reduce the long time to provide all association response in ASSET_MANAGEMENT notification and eliminate the need to poll event status from MDM. Kindly consider this request.

Hi, I created an SSO extension that works fine. The extension triggers for my domain when I need to run an OIDC flow by the "authorize" path of my issuer. I finish the whole OIDC flow inside the extension and get the required parameters (access token, ID token, state, etc.), and build the "Location" header to return to the caller (in my case it triggers from Safari). I also attach the "Set-Cookie" with my cookies. For completion, I call the authorizationRequest?.complete(httpResponse: response, httpBody: nil) with a 302 code response I create which contains the cookies and the Location header. My problem is that the Safari gets the response with the redirect, removes the Extension, and a sec after the extension triggers again with the same "authorize" request. All this happens in a loop without stopping, unless I call authorizationRequest?.doNotHandle(). I checked the "Location" header to a similar one from a regular web flow that works fine (without the extension) and both are the same. Any help or idea will be blessed. Thank you!

Hi, We are trying the new per app Content filter feature released with iOS 16 on managed devices. We push a configuration file via the MDM onto the device which contains the ContentFilterUUID field as mentioned in the WWDC tutorial After this, the NEFilterControlProvider network extension starts on the device and we expect to do the content filtering using that. In the content filter profile, we have set "FilterBrowsers" key to true and "FilterSockets" key to false. Also, we have assigned the profile to chrome application. Our expectation is that when we load a URL in chrome, if it is present in our filter, it should be blocked. But we are observing that this is not happening. On further investigation we found that no NEBrowserFlow traffic was received by our NEFilterControlProvider extension. We changed the "FilterSockets" key to true, and were able to see NESocketFlow traffic coming, but not the NEBrowserFlow traffic. We tried with the same profile on a supervised device without the contentFilterUUID field to make the profile device wide, and it was able to filter properly. Please let us know if this is a known issue and any tentative ETA for the fix. We have created a FB assistant bug as well (11637934) Other than this, we wanted to understand if we can assign the per app CF to Safari app as well. Safari being the default browser for majority of users, not able to put Content filtering on it, will hamper our content filtering use case

Why do I keep getting the following Error message on iPhone Chrome and Safari for basic web searches on sites like airbnb: FetchEvent.respondWith received an error: TypeError:Failed writing data to the file system. Is it possible to remotely deploy mdm on iPhone with hidden profile so user is unaware the iPhone is restricted without consent, as a method of hacking and monitoring a private (non-business) mobile?

You explain at 6:08 that "In iOS and iPadOS 15, we used a simple access token authorization mechanism to allow the MDM server to verify the identity of users. What exactly was the "simple access token authorization mechanism"? I would like to know the outline of the mechanism. If you have a URL that explains the mechanism, please send it to us. Thank you,