Hello, I’d like to clarify the technical limitations around app updates in an Apple School Manager (ASM) + MDM environment. Environment • iOS/iPadOS devices supervised and managed via Apple School Manager • Apps are distributed via ASM (VPP / Custom App) and managed by MDM • Apps are App Store–signed (not Enterprise/In-House) • Some apps include NetworkExtension (VPN) functionality • Automatic app updates are enabled in MDM Question From a technical and platform-design perspective, is it possible to: Deploy app updates for ASM/MDM-distributed App Store apps via a separate/custom update server, and trigger updates simultaneously across all managed devices, bypassing or supplementing the App Store update mechanism? In other words: • Can an organization operate its own update server to push a new app version to all devices at once? • Or is App Store + iOS always the sole execution path for installing updated app binaries? ⸻ My current understanding (please correct if wrong) Based on Apple documentation, it seems that: 1. App Store–distributed apps cannot self-update • Apps cannot download and install new binaries or replace themselves. • All executable code must be Apple-signed and installed by the system. 2. MDM can manage distribution and enable auto-update, but: • MDM cannot reliably trigger an immediate update for App Store apps. • Actual download/install timing is decided by iOS (device locked, charging, Wi-Fi, etc.). 3. Custom update servers • May be used for policy decisions (minimum allowed version, feature blocking), • But cannot be used to distribute or install updated app binaries on iOS. 4. For ASM-managed devices: • The only supported update execution path is: App Store → iOS → Managed App Update • Any “forced update” behavior must be implemented at the app logic level, not the installation level. ⸻ What I’m trying to confirm • Is there any supported MDM command, API, or mechanism that allows: • Centralized, immediate, one-shot updates of App Store apps across all ASM-managed devices? • Or is the above limitation fundamental by design, meaning: • Organizations must rely on iOS’s periodic auto-update behavior • And enforce version compliance only via app-side logic? ⸻ Why this matters In large school deployments, delayed updates (due to device conditions or OS scheduling) can cause: • Version fragmentation • Inconsistent behavior across classrooms • Operational issues for VPN / security-related apps Understanding whether this limitation is absolute or if there is a recommended Apple-supported workaround would be extremely helpful. Thanks in advance for any clarification

Hi, I might be a bit late to the party, but Apple has added several SkipKeys such as: TapToSetup and SafetyAndHandling. I want to make sure that the keys is working properly, so I want to do the before-after comparison, however I just can't seem to show pages related to those keys. Just for information, I'm based in Japan and I've been using iPhone pro 16 and M2 iPad Pro for the testing. I believe that TapToSetup is apple tv-related, so I've tried various things such as having it in a same network or using the same apple account both in Apple TV and the iPhone/iPad but I can't get it to show. Any ideas?

Hello All, I come to ask a question that I haven't been able to find the docs. I continue to work on implementing declarative management and while working there is a question/concern I have. I have noticed that during some destructive testing, if the device is attempting to fetch a configuration and the server responds with a 503 (or any server related error) then the device will wipe all configurations and attempt to reapply them. Is there any way to prevent this by intercepting status codes or would the only real solution be to force down a temp/test config if the real config can't be fetched from the server?

I am trying to correctly manage about 20 Mac, iPhones and PC inside a Wi-Fi network built through System Settings > Sharing > Internet Sharing To achieve this task I defined a complete configuration file: /etc/bootpd.plist which is used by /usr/libexec/InternetSharing. But every time /usr/libexec/InternetSharing is starting the file /etc/bootpd.plist is overwritten by another file and my configuration is thus fully lost. How to set a correct /etc/bootps.plist file and avoid its total overwrite by /usr/libexec/InternetSharing? Is it necessary to write this bootpd.plist in some other directory for /usr/libexec/InternetSharing to load it without destroying it? I got the same configuration total erase on macOS Big Sur and Sequoia.

Hello, I am trying to authenticate to the Apple Business Manager API to retrieve device information and ingest it into ServiceNow. I am following the documentation here. The first step is to create an API account and download the private key used to create a JWT client assertion. The guide linked above gives a python script to create a client assertion. Below the first python script, the following description is given for the "kid" variable: "The value is your keyId that returns when you upload a public key." This is the first time that a public key, rather than a private key, is referenced. Where is the public key supposed to be uploaded? Later in the guide, a public key is referenced again, in the section describing the client_id Request parameter: "(Required) You receive your clientId when you upload a public key." I have tried to create a client assertion using the keyId that is associated with the API account. When I try to request an access token, however, I also get an "invalid_client" error back. I am wondering if I'm using the wrong values for both key_id and client_id due to not creating and uploading a public key. Any help would be appreciated, thanks!

Hi, I’m testing the ClearPasscode MDM command: https://developer.apple.com/documentation/devicemanagement/clear-passcode-command Question: If a user enters the passcode incorrectly multiple times and the device becomes temporarily locked (e.g., “Try again in X minutes”) or reaches “Security Lockout”, can ClearPasscode still be executed successfully while the device is in that state? {'ErrorCode': 5013, 35708 'ErrorDomain': 'MCPasscodeErrorDomain', 35709 'LocalizedDescription': '\xe3\x81\x93...x89', 35710 'USEnglishDescription': 'The passcode cannot be cleared (-1)'} If it depends on conditions (e.g., supervised vs. user enrollment, availability of UnlockToken, network/check-in state), could you clarify which conditions are required? Thank you.