Requesting support for MDM mechanism and age declarations

Question

Created 22h

Replies 1

Boosts 0

Participants 2

This post is from the WWDC26 Privacy & Security Q&A.

Many apps are distributed on the public App Store. Those same apps can also be installed on company managed devices. While user enrolled devices will likely or certainly have an Apple Account on there, that is not the case for supervised devices. The company that manages the device might prohibit the use of Apple Accounts.

I'd like to see a capability where the MDM can provision the device with an assurance of an age being met. In the majority of practical purposes, users enrolling devices into an MDM are likely employees due to the nature of MDM. Same for users of supervised devices.

An API that lets the MDM tell the app that even though the API returns unavailable (or some new enum), that its okay to proceed because the business is assuming the risk of the age being met to consume some app.

I have a feedback I wrote up last December for this FB21340165

Another idea I've played around with would be to have a fail proof way for developers to detect if the app is MDM installed, just on the regular, not related to DeclaredAgeRange API. One could look for managed app configuration via the legacy UserDefaults mechanism, or the new ManagedApp framework--but there is no guarantee that the MDM administrator is actually going to use that feature.

If you're deploying an app to your company devices and employee enrolled devices, you can implement app config with a signal to the app, but for B2B apps and other businesses there is no assurance.

To be clear, I'm not asking for interpretation of the regional laws as I know the FAQ page directs developers to our internal legal reps, I just want to know how to best use the DeclaredAgeRange API in the context of an MDM deployment.

Answer 1

Engineer OP

Apple

20h

If an organisation wants to set policy based on the identity of the user - in your example, assurance of the age range of the user - one way of doing so is enabled by requiring strong authentication at enrolment. You can require authentication for all enrolment types - Account Driven User Enrolment and Account Driven Device Enrolment using Managed Apple Accounts have a great user experience for User Enrolled and Device Enrolled devices. You can require authentication for Automated Device Enrolment at well - even using Platform SSO in the Setup Assistant. Generally in all these cases, the user identity is coming from the organisations Identity Provider (either directly, or via Managed Apple Accounts and federation with Apple Business or Apple School Manager), so the organisation is very likely to know the age range of that user identity. Or at least join the dots in the back end between the identity provider and a Human Resources system.

A fully featured Device Management server should then be able to offer groupings of Apps only to accounts to specific age bands (either via an App Catalog, or by the Device Management service installing managed Apps on the device).

However, you can also do Automated Device Enrolment without enrolling in Device Management using a user identity.

In addition User Enrolled, and Device Enrolled devices will always have a Personal Apple Account if the user is able to self-install unmanaged apps. A Personal Apple Account may or may not be present on a supervised device (that's a policy the Device Management server can set).

If a Personal Apple Account is present - Declared Age Range will work just as for the unmanaged device use-cases.

If there is only a Managed Apple Account or no Apple Account, DeclaredAgeRange, will return the error code for .notAvailable

These are not the only cases where this error code is thrown, and a developer will need to do additional checks to work out state. Checking MDM App Configuration is valid, but you may want to consider frameworks like Storefront to see if there is an active App Store store as a workaround signal.

This is absolutely worth feedback on how you would like the return codes from DeclaredAgeRange to be finer-grained and better identify this use-case.