I'm trying to use DDM manager Safari Extensins in macOS Sequoia. I generate json and load it by mdm and ddm , but it doesn't seems to work. The json I loading is the following: { "Type": "com.apple.configuration.safari.extensions.settings", "Payload": { "ManagedExtensions": { "*": { "State": "AlwaysOn", "PrivateBrowsing": "AlwaysOn", "AllowedDomains": [], "DeniedDomains": [] } } }, "Identifier": "com.test.safari" } macOS Sequoia response is the following: { "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "com.example.act", "valid" : "valid", "server-token" : "5cc191206d1b1933" } ], "configurations" : [ { "active" : true, "identifier" : "com.test.safari", "valid" : "unknown", "server-token" : "29d3ec5ab48e6367" } ], "assets" : [ ], "management" : [ ] } } }, "Errors" : [ ] } you can see, The "valid" value is always "unknown" at ""identifier" : "com.example.act", but "Errors" is empty, Safari app don't load extensions , the SafariExtensionSettings" ddm don't work, Is there anything wrong with "SafariExtensionSettings" json? or how can I debug this bug .

I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child. Here’s what I’d like to achieve: App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones. Time Limits: Set daily usage limits for individual apps or app categories. Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps. Remote Management: Manage these settings remotely from my device for added convenience. Activity Monitoring: View app usage stats or receive alerts for policy violations. I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations. I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on: Enrolling a personal or family-owned device into Apple Business Manager. Linking an MDM for configuring app restrictions and monitoring usage. Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations! Thanks in advance for your insights!

我有十一台M4芯片的mac mini，目前通过AC2将设备挂载在ABM中。目前有10台通过接口 “https://mdmenrollment.apple.com/device/activationlock” 启用企业激活锁去出现INTERNAL_SERVER_ERROR错误，只有一台成功了，成功那台设备使用的ABM账号与其他设备使用的ABM账号不同所属组织也不同。 I have eleven M4 chip Mac mini devices, currently mounted in ABM through AC2. Currently, there are 10 units that have passed the interface“ https://mdmenrollment.apple.com/device/activationlock ”Enabling the enterprise activation lock resulted in an INTERNAL_SERVER-ERROR error, and only one device succeeded. The successful device used a different ABM account than the other failed devices and belonged to a different organization.

When clicking Upload for the CSR file, there is no APNS certificate available for download. Instead, the portal redirects to https://www.apple.com/filenotfound MDM Push Certificates are critical for the operation of managed devices, if they expire, all devices will have to be reenrolled creating a catastrophic event for all the customers devices. Please review and given how critical this service for renewing certificates is for your customers, please also make sure it is always available without downtimes. Let me know if you need more details, Thank you, Sergio

Hi,team: I have configured SystemExtensions and WebContentFilter for supervised devices through mdm, and set NonRemovableFromUISystemExtensions in SystemExtensions, but found that my network filter cannot be deleted in macOS10, macOS11 and macOS12, but it can still be turned off by selecting the network filter in the network and choosing to disable the service. However, it cannot be turned off in macOS13, macOS14 and macOS15. How can I prevent supervised devices from turning off the network filter in 10, 11 and 12? The macOS 10.15.7 image is as follows: macOS15.1.1 cannot delete and cannot close the image as follows: Hope to receive your reply！

Hi,team: I know that the MDM system extension configuration parameter RemovableSystemExtensions can only be valid after macOS12+, but can I also use this parameter between macOS10.15-12? Even if he is ineffective. Will this cause any problems with the system. I want to use the same MDM configuration file for the devices I manage, which have systems between macOS10.15-15.I hope to receive your confirmation

Importing an existing self- signed trusted root certificate no longer triggers option to trust cert in Settings / About / Certificate Trust Settings In iOS 18. Cert installed manually from internal website, as email attachment, and using profile in Configurator all produce same result. Same cert and processes work on iOS 16.7.10, iOS 17.6.1 and iPadOS 18.0 But not on iOS 18.0 nor beta iOS 18.1 beta5 on iPhone 16 Also tried regening a new test root on macOS Sonoma and installing using Configurator. No difference. It’s broken - I’ve reported it by Feedback - it’s a vital security flaw. Anyone else see this or have a workaround?

Hi Apple Community, I have been Testing with key allowAccountModification in macOS Restriction Payload and found some contrasting behavior In macOS 14, macOS 15.1 in both of the OS Version when allowAccountModification is set to False it restricts adding new Account in System Settings and this is expected behavior How ever things are contrasting and not going as expected in the below situation When macOS 14 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it restricts adding Apple Account When macOS 15.1 Version has 2 profiles for Restriction Payload one with allowAccountModification set to False and another with allowAccountModification set to True it allows adding Apple Account I remember when restrictions payload keys are contrasting across different profile Apple Uses the most restrictive one among them. But in macOS 15.1 the behavior is unexpected. Is this a issue in 15.1 and is there any list of macOS versions which shows this unexpected behavior

Hi Apple Community, If a macOS Device is FileVault Encrypted, We are using the keys FDE_HasInstitutionalRecoveryKey, FDE_HasPersonalRecoveryKey from SecurityInfo to know the Device Encryption Type. But Some times rarely we get FDE_Enabled as true but both the above mentioned keys as false Also we get SecurityInfo Response patterns like these only if FileVault is enabled in Device with iCloud as option to unlock the disk Can we confirm this pattern or is there any way to know if device is encrypted with options other than Personal / Institutional Types <plist version="1.0"> <dict> <key>CommandUUID</key> <string>SecurityInfo</string> <key>SecurityInfo</key> <dict> ...... ...... ...... <key>FDE_Enabled</key> <true/> <key>FDE_HasInstitutionalRecoveryKey</key> <false/> <key>FDE_HasPersonalRecoveryKey</key> <false/> ...... ...... ...... <key>Status</key> <string>Acknowledged</string> <key>UDID</key> <string>..............</string> </dict> </plist>

My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application. I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?

A profile that contains setting of allowVPNCreation is false was installed duiring activation in my requirements. The iOS version is 18. AllowVPNCreation is first, setting the app's network is second, the app can't use network. Setting the app's network is first, AllowVPNCreation is second, the app works well. For example: Scene 1 Step 1: Install a profile that contains a setting where allowVPNCreation is false during activation. Step 2: Complete activation and enter the main screen. Step 3: Tap App Store, the screen displays network unavailable, needs to be set in Setting. Step 4: Open the network setting for App Store, but still closed.And the network settings for other apps are all closed; Step 5: Remove the profile. Step 6: After a minute, opening the network setting for App Store is work. Result: AllowVPNCreation effects app's newtork after entering the system for the first time. It don't happen below iOS 18. Scene 2 Step 1: The app's network setting is ok. Step 2: Install a profile that contains a setting where allowVPNCreation is false. Result: No effect。The same result below iOS 18. Is this a bug or new features, how to handle？

I work with https://developer.apple.com/documentation/devicemanagement/activationlockrequest?language=objc. The same codes work well on other devices, such as iphone, ipad, mac air. What causes? What can i do to resovle it?

is it possible to push app updates in Single App Mode via Intune?

I have private certificate authority. Root &gt; Intermediate &gt; Leaf. When I install the Root Certificate, it shows in Settings &gt; General &gt; About &gt; Certificate Trust Settings in iOS 18.1.1 However, when I install the Intermediate Certificate (including the CA Bundle), the Intermediate CA Certificate is not shown in the Certificate Trust Settings. All my leaf certificates are issued by the Intermediate CA. Is this a bug? If not, how can this be solved? TIA!

I am trying to create a DNS over HTTPS and DNS over TLS server that requires authentication with a client certificate and configure it in the Device Management Profile for use from the iPhone. I have set the PayloadCertificateUUID in DNSSettings, but it appears that the client certificate is not being used. Is there anything I should check in advance when using a p12 file with PayloadCertificateUUID? Configuration Profile <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadType</key> <string>Configuration</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>295E68E5-39F0-46D1-94E4-4A49EC8392E2</string> <key>PayloadIdentifier</key> <string>com.example.dns</string> <key>PayloadDisplayName</key> <string>My DNS</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.dnsSettings.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>4CCEE94D-7B72-46AB-87AD-5A368F937339</string> <key>PayloadIdentifier</key> <string>com.example.dns.names</string> <key>PayloadDisplayName</key> <string>My DNS</string> <key>PayloadDescription</key> <string>DNS Settings</string> <key>PayloadCertificateUUID</key> <string>07A96080-5FAE-4026-937D-F578530E1444</string> <key>DNSSettings</key> <dict> <key>DNSProtocol</key> <string>TLS</string> <key>ServerName</key> <string><!-- my DoT server name --></string> </dict> <key>ProhibitDisablement</key> <false/> </dict> <dict> <key>PayloadType</key> <string>com.apple.security.pkcs1</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>260CC26A-2DD1-4B16-B8C0-AF1E655576AD</string> <key>PayloadIdentifier</key> <string>com.example.certs.intermediate-ca</string> <key>PayloadDisplayName</key> <string>Intermediate CA</string> <key>PayloadDescription</key> <string>Intermediate CA</string> <key>PayloadCertificateFileName</key> <string>ca-chain.cert.cer</string> <key>PayloadContent</key> <data><!-- contents of Intermediate CA certificate --></data> </dict> <dict> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>E5DB74AA-3C5F-470B-AAE0-DF072095A2EC</string> <key>PayloadIdentifier</key> <string>com.example.certs.root-ca</string> <key>PayloadDisplayName</key> <string>Root CA</string> <key>PayloadDescription</key> <string>Root CA</string> <key>PayloadCertificateFileName</key> <string>ca.cert.cer</string> <key>PayloadContent</key> <data><!-- contents of Root CA certificate --></data> </dict> <dict> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadUUID</key> <string>07A96080-5FAE-4026-937D-F578530E1444</string> <key>PayloadIdentifier</key> <string>com.example.certs.client.iseebi</string> <key>PayloadDisplayName</key> <string>Client Certificate</string> <key>PayloadDescription</key> <string>Client Certificate</string> <key>Password</key> <string><!-- password of p12 --></string> <key>PayloadCertificateFileName</key> <string>Key.p12</string> <key>PayloadContent</key> <data><!-- contents of p12 --></data> </dict> </array> </dict> </plist> iPhone console log Connection 3742: enabling TLS Connection 3742: starting, TC(0x0) Connection 3742: asked to evaluate TLS Trust Connection 3742: TLS Trust result 0 Connection 3742: asked for TLS Client Certificates Connection 3742: issuing challenge for client certificates, DNs(1) Connection 3742: asked for TLS Client Certificates Connection 3742: received response for client certificates (-1 elements) Connection 3742: providing TLS Client Identity (-1 elements) Connection 3742: providing TLS Client Identity (-1 elements) Connection 3742: connected successfully Connection 3742: TLS handshake complete Connection 3742: ready C(N) E(N) Connection 3742: received viability advisory(Y) Connection 3742: read-side closed Connection 3742: read-side closed Connection 3742: read-side closed Connection 3742: cleaning up Connection 3742: done server log (stunnel) LOG5[9]: Service [dns] accepted connection from <IP> LOG6[9]: Peer certificate required LOG7[9]: TLS state (accept): before SSL initialization LOG7[9]: TLS state (accept): before SSL initialization LOG7[9]: Initializing application specific data for session authenticated LOG7[9]: SNI: no virtual services defined LOG7[9]: OCSP stapling: Server callback called LOG7[9]: OCSP: Validate the OCSP response LOG6[9]: OCSP: Status: good LOG6[9]: OCSP: This update: 2024.12.06 08:32:00 LOG6[9]: OCSP: Next update: 2024.12.13 08:31:58 LOG5[9]: OCSP: Certificate accepted LOG7[9]: OCSP: Use the cached OCSP response LOG7[9]: OCSP stapling: OCSP response sent back LOG7[9]: TLS state (accept): SSLv3/TLS read client hello LOG7[9]: TLS state (accept): SSLv3/TLS write server hello LOG7[9]: TLS state (accept): SSLv3/TLS write change cipher spec LOG7[9]: TLS state (accept): TLSv1.3 write encrypted extensions LOG7[9]: TLS state (accept): SSLv3/TLS write certificate request LOG7[9]: TLS state (accept): SSLv3/TLS write certificate LOG7[9]: TLS state (accept): TLSv1.3 write server certificate verify LOG7[9]: TLS state (accept): SSLv3/TLS write finished LOG7[9]: TLS state (accept): TLSv1.3 early data LOG7[9]: TLS state (accept): TLSv1.3 early data LOG7[9]: TLS alert (write): fatal: unknown LOG3[9]: SSL_accept: ssl/statem/statem_srvr.c:3510: error:0A0000C7:SSL routines::peer did not return a certificate LOG5[9]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket LOG7[9]: Deallocating application specific data for session connect address LOG7[9]: Local descriptor (FD=10) closed LOG7[9]: Service [dns] finished (0 left)

We provide a MDM product. In our product, payloads and properties which require supervision display those requirements. Two properties forcePreserveESIMOnErase and allowWebDistributionAppInstallation of the restriction payload don’t require a supervised device according to the descriptions in Apple Developer Documentation. However, in our observation, those properties seem to require it. Are those OS bugs or documentation errors? (In which category should I submit a feedback?) Steps to reproduce Prepare a supervised device (I used an iPhone 12 mini with iOS 18.1) and a configuration profile contains the following restrictions: <!-- Does not require a supervised device --> <key>allowDiagnosticSubmission</key> <false/> <!-- Requires a supervised device --> <key>allowESIMModification</key> <false/> <!-- Does not require a supervised device according to its description --> <key>allowWebDistributionAppInstallation</key> <false/> <!-- Does not require a supervised device according to its description --> <key>forcePreserveESIMOnErase</key> <true/> Then, Install the profile with Apple Configurator. Confirm 4 restrictions are shown in Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions. Punch Settings > General > Transfer or Reset iPhone > Erase All Content and Settings, to unsupervise. Install the profile with Apple Configurator. It cannot be installed automatically because the device was not supervised. Manually install the downloaded profile. Check Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions. Expected results 3 restrictions—allowDiagnosticSubmission, allowWebDistributionAppInstallation and forcePreserveESIMOnErase—are shown. Actual results Only one restriction—allowDiagnosticSubmission—is shown. Appendix: Restriction keys and their restricted message shown in Settings allowESIMModification: eSIM modification not allowed forcePreserveESIMOnErase: Preserve eSIM on erase enforced allowWebDistributionAppInstallation: Web app distribution not allowed allowDiagnosticSubmission: Diagnostic submission not allowed

We have a development where we are MDM managing iOS devices and attempting to enforce mutual TLS for all interactions with the MDM. We are DEP provisionng an enrolment profile that utilises an ACME hardware attested Device Identity Certificate. All interactions with the MDM endpoints are correctly utilising the ACME certificate for the client mutual TLS handshake. The certificate has Client Authentication Extended Key Usage. Behind the same API gateway and on the same SNI we are also serving paths to Enterprise application manifests and IPAs. We can see from the phone log and from packet traces the iOS device doesn't offer the Device Identity Certificate for client authentication when retrieving these URLs. We have also tried adding non ACME client certificates from the root trusted by the server to the initial profile with exactly the same outcome. If we temporarily disable the mutualTLS we can see that the request for the manifest has a userAgent of "com.apple.appstored/1.0 iOS/18.2 model/iPhone17,3 hwp/t8140 build/22C5125e (6; dt:329) AMS/1" which is not the same as the mdm interactions. Is it actually possible to achieve mutualTLS to authenticate these downloads or is a different solution required ? Any advice greatly appreciated.

I created a mobileconfig file on our self-developed MDM server and used Apple Configurator with a USB cable to prepare the device. However, the profile installation failed and show the mdm payload is invalid must to be removed. I suspect that the issue might be related to the CA (Certificate Authority) in the configuration, even though I have provided the ROOT SSL CA and the .p12 file. What CA file should I include in the mobileconfig to resolve this issue? using Apple Configurator to edit the mobileconfig file, but the MDM service is no longer displayed. How should I handle this

On devices running iOS 18+, when a web app kiosk policy is pushed via an MDM and the device is restarted. The touch screen doesn't respond on the device. So the device is currently in a brick state. Since we can't enter the password we can't get the logs from the device and it is even hard to recover the device. On restart the device isn't connecting to the internet so it isn't possible to remove the kiosk policy as well. This only happens on devices running iOS 18+ and with web app kiosk profile.

We're implementing an MDM system and would like to know if we can get the type of CPU for an enrolled device, I know we can use IsAppleSilicon from the Device Information command but it would be good to know if it's an M1, M2, M3 etc. We can implement a mapping of product name to CPU type, e.g. Mac16,1 has an M4 chip but this would mean ongoing maintenance that we'd prefer to avoid. Is there a public web API (ideally first-party provided by Apple) that can be used to lookup details of a device by product name or similar? Slightly related is the Declarative Device Management documentation for StatusDeviceModelMarketingName offers an alternative of: use device.model.configuration-code to look up the marketing name through the web API but doesn't mention which web API.