Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

Hi all, I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information. Are any of you able to get that somehow? Thanks!

Hello, I’ve run into an issue with a configuration profile on my supervised iPhone. I’m wondering if anyone here might be able to help? The profile contains the allowListedAppBundleIDs key within the restrictions payload. My Apple Watch is paired with the iPhone. The iPhone was supervised manually with Apple Configurator, hence the Apple Watch has not been directly supervised itself. The profile works completely as expected when installed on the phone. As soon as the profile is installed on the iPhone, I can witness the apps on the Apple Watch rearrange themselves as some apps are hidden. So clearly the profile is applying its restrictions to the Apple Watch to some degree. My issue however is that apps listed in the whitelist are hidden from the Watch. The apps that are missing from my Watch are Walkie Talkie, Find My Items, Find My Friends, Messages, Alarm, Remote, Now Playing, Sleep, Meditation and Heart Rate. This is despite the following bundle IDs being listed in the whitelist array: com.apple.findmy.findpeople, com.apple.findmy.finddevices, com.apple.HeartRate, com.apple.SessionTrackerApp, com.apple.NanoWorldClock, com.apple.findmy.finditems, com.apple.Mind, com.apple.NanoOxygenSaturation, com.apple.watchmemojieditor com.apple.NanoSleep com.apple.NanoNowPlaying com.apple.noise com.apple.tincan com.apple.NanoRemote com.apple.NanoAlarm com.apple.private.NanoTimer com.apple.NanoStopwatch I’ve done some testing, but not sure what I’ve found really. I’ve so far identified 3 scenarios. Scenario 1: I have the whitelist profile installed on the iPhone. I download an app that appears in the whitelist from my watch (or at least its iPhone version does). The apps show up on the iPhone automatically and can be launched there. These apps cannot be launched on the watch. Scenario 2: I downloaded a few apps to my watch, that didn’t automatically install on my iPhone at the same time. They were on the whitelist. These ones couldn’t be launched from my Watch. I then downloaded them to the iPhone and they could be launched there (since they were on the whitelist). Scenario 3: A couple of 3rd party apps on the whitelist could be downloaded and launched from the watch with the whitelist installed. It seems as though there are different kinds of Apple Watch app and this is what I’ve read elsewhere. First of all there are Watch-only apps, which do not automatically install a companion iPhone app. Secondly there are companion apps, which when installed from the Watch App Store download their companion app to the iPhone in the background. Someone please correct me - I’m bound to be overlooking something here. So maybe the apps that when installed from Watch automatically install on iPhone and can only be launched from the iPhone have a separate bundle ID for their Watch app which I haven’t included? Apps that are on the whitelist AND do not automatically install an iPhone app AND can be launched from the Watch, include: solstice What3words So maybe these do not need a companion app, but have the same Bundle ID as their iPhone app? However, I’m still not sure why many stock Apple Watch apps are missing from the Watch…. The most obvious answer is that I’ve got their Bundle IDs wrong, but I don’t think I have given I extracted the bundle IDs from the App Store pages of the Apple WatchOS apps. I noticed at this Apple Support page (https://support.apple.com/en-gb/guide/deployment/dep34c5cd30f/1/web/1.0) that there is no mention of whitelisting or blacklisting apps on WatchOS using MDM, yet something definitely happens on the watch when the configuration profile is installed on the iPhone. Furthermore, if I tap on a configuration profile, which comprises a blacklist, on my iPhone it will ask me if I want to install it on the iPhone or Watch. The same pop-up question doesn’t happen when the profile contains a whitelist. All this to say, I’m massively confused as to why I can’t get this working. I’d really appreciate anyone’s advice which is bound to be expert. Thank you

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

Hello, I have a system, which is able to execute bash/zsh scripts on a set of machines. The default behaviour is that the signature of the script is checked on the machine, which is executing it, and in case if it is not signed properly, the system rejects the execution. An own certificate has to be created for signing the scripts, which means that the certificate has to be installed and marked as trusted on the target machines (which are executing the script). I've been using : "/usr/bin/security add-trusted-cert ..." command to install the certificate on the machines as trusted. Since macOS Big Sur, the above command was prompting the local user for admin credentials. To avoid this, Apple suggested to use the following command to temporarily disable and re-enable the confirmation dialog : 1.: /usr/bin/security authorizationdb write com.apple.trust-settings.admin allow 2.: /usr/bin/security authorizationdb write com.apple.trust-settings.admin admin Now with the release of macOS Sequoia, the above command : "/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow" does not work any more. It gives the following output : NO (-60005) I have the following questions : 1.: Could you please suggest an alternative way for IT administrators to install certificates on their machines, without any user confirmation? 2.: Could you please suggest how the same could be achieved using a bash/zsh script? In which context could the above commands : "/usr/bin/security authorizationdb write com.apple.trust-settings.admin allow" and "/usr/bin/security authorizationdb write com.apple.trust-settings.admin admin" still work? Thank you for your help in advance!

There could be a case where-in multiple transparent proxies might exist in the system (for ex., Cisco AnyConnect, GlobalProtect, etc). We want to know if there is a way to order transparent proxies so that the desired transparent proxy gets the request first. During our research, we found a resource which talks about ordering transparent proxies through MDM. https://developer.apple.com/documentation/devicemanagement/vpn/transparentproxy Using this reference, we tried to create a profile and push it through JAMF. Below is the profile that we created and pushed with JAMF. Property List - &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;TransparentProxy&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;ProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.paloaltonetworks.GlobalProtect.client.extension&lt;/string&gt; &lt;key&gt;Order&lt;/key&gt; &lt;string&gt;1&lt;/string&gt; &lt;/dict&gt; &lt;dict&gt; &lt;key&gt;ProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.cisco.anyconnect.macos.acsockext&lt;/string&gt; &lt;key&gt;Order&lt;/key&gt; &lt;string&gt;2&lt;/string&gt; &lt;/dict&gt; &lt;dict&gt; &lt;key&gt;ProviderBundleIdentifier&lt;/key&gt; &lt;string&gt;com.mydomain.transparentproxy&lt;/string&gt; &lt;key&gt;Order&lt;/key&gt; &lt;string&gt;3&lt;/string&gt; &lt;/dict&gt; &lt;/array&gt; We are not sure if this is the right way to create the profile, though JAMF is not throwing any error while pushing this profile. We see this profile on the local machine as "/Library/Managed Preferences/com.apple.networking.vpn-transparent-list.plist". Is there a way to know if the profile took effect and the order of transparent proxies has changed. Thanks in advance.

On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.

We have noticed that if we apply forceDelayedSoftwareUpdates in Restrictions profile, it causes ScheduleOSUpdates to fail or go into an invalid state. For example: On my iOS device, we have set the forceDelayedSoftwareUpdates to 90 days which removed the latest iOS update iOS 18.2 from the Software Updates section on the device. Post this, if I schedule an update for iOS 18.2 using ScheduleOSUpdateCommand, it fails to download. If I schedule the same without forceDelayedSoftwareUpdates, the update works as expected. Please help what could be the reason for this behavior as forceDelayedSoftwareUpdates should not block ScheduleOSUpdates.

Hi, I'm glad to hear that the service discovery process is improved on iOS/iPadOS 18.2 mentioned here. https://support.apple.com/en-ca/guide/deployment/dep4d9e9cd26/1/web/1.0 I tried it on my development MDM server. Set default MDM for iPad to my development MDM server on Apple Business Manager. Call the new API https://developer.apple.com/documentation/devicemanagement/account_driven_enrollment_profile and 200 OK is returned However the service discovery fails with the following error. Invalid well-known response for https://{my email's comain name}/.well-known/com.apple.remotemanagement?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x300a9f420> Invalid well-known response for https://axm-servicediscovery.apple.com/mdmBaseURL?user-identifier={my email}&model-family=iPad: <NSHTTPURLResponse: 0x3009047a0> It seems fallback process to https://axm-servicediscovery.apple.com/mdmBaseURL actually works but it returns 404 Not Found error. How can we use this awesome feature? Thank you :)

We are using management properties in DDM to assign configurations and assets to a particular device, and one of those properties should be updated by a business app on the device. For example, if the business application is not launched every 30 days, then a predicate should evaluate to false and the device put into single app mode to force the application to run. If, however, the app is launched any time in the 30 days, then the counter should be reset. Essentially trying to enforce that users in the field cannot work offline for extended periods of time without getting the latest dataset from the company. The single app mode part is very clear and the predicate to assign the configuration based on the date in the management property seems logical. However, the question is: Can a predicate be built upon data that is updated by the custom MDM app? ie: If the app is launched on the device without connectivity, can a property be updated that the DDM predicate system can access that can be used as an input property? such as "last launch time" or "last check-in" of the custom app? Alternately, could the custom MDM app read any of the management properties set via DDM? That way the user would know the value that the DDM configuration for restricting the device.

We are attempting to block the attachment of photos from the Photos/Gallery app when sending emails or sharing on social media applications such as Gmail, Outlook, and other platforms. These are MDM Managed Applications While file attachments (e.g., PDFs, documents) are successfully blocked, photo attachments are not being restricted, allowing users to attach photos without limitations. We are applying the below restriction to the device through an MDM allowOpenFromUnmanagedToManaged: false https://developer.apple.com/documentation/devicemanagement/restrictions Steps to Reproduce: Open the Photos or Gallery app on a mobile device. Open Gmail, Outlook, or a social media application (e.g., Facebook, Instagram). Open the Photos or Gallery app on a mobile device. Select a photo to attach. Try to attach the selected photo to an email or post. Observe that the photo is successfully attached, despite restrictions on file attachments.

Hello Apple Community, We are integrating Apple Tap to Pay into our Point of Sale (POS) application. Our organization manages a fleet of supervised iPhones using Apple Business Manager (ABM) and Mobile Device Management (MDM) to onboard devices with preferred settings and automatically install our POS app via MDM-assigned licenses, then our OPS team installs our devices at merchant location and trains their staff on how to operate our service. So far, we have avoided using Apple IDs on these devices, as our setup has relied solely on MDM enrollment and app deployment. However, Apple Tap to Pay requires an Apple ID and Passcode, which presents a challenge for automation at scale. Our Questions: 1. Generally speaking, is there a recommended flow to manage Apple ID and Passcode for our case? 2. Is Managed Apple ID supported by Tap To Pay flow? 3. Is there a way to automate creation of Managed (or regular one if Managed is not supported by Tap to Pay) Apple ID and assignment into supervised iPhone via Apple MDM protocol? 4. Both regular and managed Apple ID requires 2FA via phone number. It appears Passkeys and Authentication Apps are not supported. What is recommended way to manage 2FA phone numbers on a scale of thousands of merchants? 5. Is there a way to enforce/assign specific passcode into supervised iPhone via Apple MDM protocol? Key Considerations: • Devices are corporate-owned and supervised. • Practice shows that merchant staff is unable to manage Apple ID or any sort of iPhone credentials on their own due to frequent staff rotation and sometimes malicious actions by former employees. • MDM is used to manage deployment, security policies, and app installations and updates. • The goal is to avoid requiring end-users to manually sign in with Apple IDs and assign Passcode on each device. Thank you!

The security configuration updates have been enforced through automatic update policy enabled through an MDM policy. However our end users would like to know when these updates are triggered by the device and installed successfully. We can see on a few devices that even though the automatic updates are enabled there are many devices with config updates pending. Also is there a way to manually install these config updates as the end user cannot see these updates listed in the software update section.

Main Issue We are experiencing an issue where iOS devices become unresponsive when attempting to shutdown or reboot from the lock screen while locked into Single App Mode via MDM or Apple Configurator. Steps to Reproduce: Start any iOS device. Use Apple Configurator or an MDM solution to enable Single App Mode. Wait for the device to lock into the specified app. Lock the device so that it goes to the lock screen. Hold the Power button and Volume Up button until the shutdown/emergency screen appears. At this point, the device becomes unresponsive. After approximately 30 seconds, the message "Guided Access app unavailable. Please contact your administrator" appears. The device is now frozen, and the only way to recover is to force restart it using Apple's forced restart method (Apple Support Link). Additional Issue: Additionally, we observe that when using an app in Single App Mode, attempting to reboot the device and canceling the reboot prevents any subsequent reboot attempts until a force restart is performed. Steps to Reproduce This Behavior: Lock the iOS device into Single App Mode. Use the app normally. Attempt to shut down the device by holding the Power and Volume Up buttons. The shutdown/emergency screen appears as expected. Cancel the shutdown by tapping "Cancel." The device returns to the lock screen. Swipe up to return to the app. Attempt to shut down the device again using the same method. Nothing happens—the shutdown screen no longer appears. The only way to reboot the device now is through a forced restart. This appears to be a bug in Single App Mode behavior, potentially related to Guided Access restrictions. Has anyone else encountered this issue? Is this the right place to report this issue? or should I report it elsewhere? I have more videos and material showing how to reproduce this issue if needed.

Hello everybody, We are trying to configure Device APN settings by sending IOS device configuration profiles through OTA. Please refer below url for details which we are following : https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505 We’ve encountered an issue where the APN (Access Point Name) settings are not populating correctly on iOS devices, even though we are sending the configuration via our Device Management Center (DMC) and the configuration message is being pushed correctly over the air (OTA). Path to the APN fields: Settings > Mobile > Mobile Data Network > APN Tested iOS version: 17.3, 17.5, 18.2, 18.3 Configuration message received: Configuration message installed: APN fields are empty: Could you give us any suggestions ? Thank you very much.

Hi there, I am trying to create an IPsec policy for remote access for iOS devices. Is the full updated list with all the settings, which are supported? I could only find this article: https://support.apple.com/de-de/guide/deployment/depdf31db478/web But I am sure it's not updated: Authentication Algorithms: HMAC-MD5 or HMAC-SHA1. Same for DH Groups 2-5

We've been waiting almost 3 years for Business Essentials to be available in Canada. Does anyone know the timeline for releases outside of the US?

<!-- Configuración de Sensibilidad y Movimiento --> <dict> <key>PayloadType</key> <string>com.android.settings</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.ios.freefire.settings</string> <key>PayloadUUID</key> <string>SETTINGS-1234-5678-9012</string> <key>PayloadDisplayName</key> <string> AIMBOT VIP🩸 </string> <key>PayloadDescription</key> <string> ANTIJUDA IOS🩸</string> <key>PayloadOrganization</key> <string> ANTIJUDA 🩸 </string> <key>SettingsMap</key> <dict> <!-- Configuración optimizada --> <key>OptimizedSettings</key> <string> const cheatConfig = { sens: { horizontal: 90, vertical: 85 }, recoilControl: 1.3, aimAssist: { strength: 1.25, angle: 0.75, smoothing: 0.8 }, precisionBoost: true, targetLockSpeed: 2.0, bulletComp: true, fovRange: 30, weapon: { switchDelay: 0.15, swayReduction: true }, prediction: 1.1, headshot: { priority: true, angleLimit: 15, adjust: 1.05 }, reactionBoost: 0.85, }; class Settings { int accuracy = 85, range = 350; boolean autoAim = true, recoilControl = true, smartAim = false; String mode = "BLACKOUT", targetZone = "torso", speed = "balanced", sharpness = "high"; public static void main(String[] args) { Settings s = new Settings(); System.out.println("Mode: " + s.mode + ", Accuracy: " + s.accuracy + "%, Range: " + s.range + "m"); System.out.println("Auto Aim: " + s.autoAim + ", Target Zone: " + s.targetZone); System.out.println("Speed: " + s.speed + ", Sharpness: " + s.sharpness); System.out.println("Recoil Control: " + s.recoilControl + ", Smart Aim: " + s.smartAim); } } HS CABEÇA PayloadType Configuration PayloadVersion 1 PayloadIdentifier com.example.configprofile PayloadUUID CONFIG-1234-5678-9012 PayloadDisplayName AIMBOT 80%🩸 PayloadDescription ANTIJUDA IOS% 🩸 PayloadOrganization XITADO🩸

Hello We have devices setup with in ABM and managed with Intune. Having only ever setup shared iPad's, we have a new request with managing iPhone's. The customer wants the iPhone's managed, but users enabled to purchase apps for the app store using their own credit card (or Apple ID) These are not BYOD devices and federated sign is not an option at this time. Can this be done with example User affinity profiles? Many thanks

My institution uses Blackboard and iPads to conduct assessments, and I’m trying to find some proctoring tools. Students conduct the assessments directly on Blackboard using either Safari or Chrome. I know that Apple has a function that does EXACTLY what I’m looking for, but from what I understand, this function has to be made available by Safari or Chrome: https://developer.apple.com/documentation/automaticassessmentconfiguration I don’t know whether either of these two browsers have this function enabled, and whether it can be switched on and off for custom-made Blackboard assessments. Is this a possibility? Are there other options? I know Blackboard offers built-in and third-party proctoring, but contacting them is difficult, and my company does not give me the appropriate authority to speak directly with Blackboard. So, I’m not able to find out about the feasibility, costs, etc. of this option. Any help would be greatly appreciated.