Declarative Management Unsupported Status Values in macOS

App & System Services Core OS
MDM iOS Dev OP
Created Feb ’23
Replies 0
Boosts 0
Views 851
Participants 1

DESCRIPTION:

A macOS device (Version 13 and above),

  1. "passcode-is-present" and "passcode-compliant" status items are unsupported. After the Successful Acknowledged of the DeclarativeManagement command, we receive supported client capabilities from the device as a status report. but while analyzing the device-supported client capabilities details represent those two status items are supported. On analyzing the device respond with an error.
  2. "device.identifier.udid" status item provided halfway correct udid value exactly not.

HOW TO REPRODUCE:

  1. Enroll a macOS device in MDM.
  2. Send the DeclarativeManagement Command to macOS 13+ devices.
  3. The MDM server responds with a DeclarativeManagement Command that should include the SynchronizationTokens JSON data.
  4. The device fetches the declarations manifest from the MDM server.
  5. While synchronization, we will subscribe the status items (passcode-is-present,passcode-compliant, device.identifier.udid, mdm.app) as configuration.

For example,

{
   "Type":"com.apple.configuration.management.status-subscriptions",
   "Identifier":"85B5130A-4D0D-462B-AA0D-0C3B6630E5AA",
   "ServerToken":"59eb13b9-5d51-54b9-8a4b-e8abe37c27ee",
   "Payload":{
      "StatusItems":[
         {
            "Name":"passcode.is-present"
         },
         {
            "Name":"passcode.is-compliant"
         },
         {
            "Name":"device.identifier.udid"
         }
      ]
   }
}

Response the above JSON payload to the device, While requesting the "declaration/configuration/****" details from MDM.

Note: Before subscribing to the status items ("passcode-is-present" and "passcode-compliant") via Declarative Management, Passcode Configuration Policy should be applied to the mac device.

EXPECTED APP:

  1. The Passcode Status reports will provide certain values (true/false).
  2. The "device.identifier.udid" status item provides the exact UDID same as Command Response.

ACTUAL RESULT:

  1. The Passcode Status reports did not provide values (true/false), but we are getting the error-
{
   "Errors":[
      {
         "Reasons":[
            {
               "Code":"Error.UnsupportedStatusValue",
               "Description":"Cannot report status on “passcode.is-present” because value is not supported."
            }
         ],
         "StatusItem":"passcode.is-present"
      },
      {
         "Reasons":[
            {
               "Code":"Error.UnsupportedStatusValue",
               "Description":"Cannot report status on “passcode.is-compliant” because value is not supported."
            }
         ],
         "StatusItem":"passcode.is-compliant"
      }
   ]
}
  1. The "device.identifier.udid" status provided UDID to MDM like
{
   "device":{
      "identifier":{
         "udid":"b486fc***0***5d77*****4********9e60e00000000"
      }
   }
}

and UDID of Command Responses like

<key>UDID</key>
<string>B486FC***-5***0-5D77-****4-******9E60E</string>

Kindly help us with this case.

Replies  0
Boosts  0
Views  851
Participants  1
Declarative Management Unsupported Status Values in macOS
First post date Last post date
 
 
Q