Hi, I am trying to enable declarative management on my device ( it is already enrolled as a sharedIpad with DEP). When sendind the command, the device's response contains an error. It is not acknowledged. Either on the device channel or on the user channel. The device channel returns : 'ErrorChain': [{'ErrorCode': 4, 'ErrorDomain': 'RMErrorDomain', 'LocalizedDescription': 'Feature Disabled: Device Channel.'}], 'Status': 'Error', and the user channel returns : 'ErrorChain': [{'ErrorCode': 12021, 'ErrorDomain': 'MDMErrorDomain', 'LocalizedDescription': '“DeclarativeManagement” is not a valid request type.', 'USEnglishDescription': '“DeclarativeManagement” is not a valid request type.'}], 'Status': 'Error', Does DEP device support declarative management? Thanks.

Hi Team, The User Enrollment introduced by Apple back was really great I was trying to test out that .As per the implementation details provided by apple for Simple Authentication - User Enrollment Flow. Below are the steps I followed to implement it. Step 1) Making a /.well-known/com.apple.remotemanagement url and sending a json as for byod which apple has detected successfully. Step 2) Apple making a POST request to BaseServer URL of MDM to get enrollment profile ( At this Step as there is not Authorization header I sent a 401 with WWW-Authenticate header with scheme and url as mentioned by apple) Step 3) Apple has requested With GET to get the html page to show to the user from the url mentioned in WWW-Authenticate header. Step 4) Here there is a tweak the HTML page I actually shown doesn't contains any form as it is for testing purposes. I Simply had a button which upon clicking sends a POST to my url with empty JSON using axios library where from the server I sent a 308 redirect with Location header as mentioned by apple apple-remotemanagement-user-login://authentication-results?access-token=dXNlci1pZGVudGl0eQ Where after I expect the ASWebAuthenticationSession to end and apple to start Second Enrollment attempt with acces token as Authorization Bearer token But the Screen showing the HTML page doesn't go away and neither apple started any steps to get the Enrollment profile from MDM server . Am I commiting any mistakes here.Could you please help on going with it.

I am experiencing issues when pushing the "WiFi Lock" profile via MDM or the "Join only Wi-Fi networks installed by a Wi-Fi payload'" Restriction via Apple configurator 2. I am pushing a WiFi Authentication profile along side it which means that the wifi lock profile is suppose to force the device to only be able to connect to the wifi authentication profile that was pushed to the device via MDM. However, what end up happening, the device "forgets" or does not recognize the pushed wifi auth profile that it has after device reboot. It ends up not showing any available wifi networks and wont allow the device to connect to wifi. The only way i can fix it, is if i push the wifi authentication profile to the device again via cellular. It then remembers it and will connect. But as soon as the device reboots and sometimes it does not even need to reboot it will forget it. What could be going on with this?

Is there a way to check in code if a device is under Mobile Device Management? We want to show the users a different screen in the app if it is under device management. This is primarily for devices under Apple School Manager or something similar

IMAP is again broken... this has happened with many prior iOS betas

We are facing issue SSO from some days its was working fine few days before. In apple devices, we are facing issue that once user enters the username and password, it is asking again when user logs in. All things were fine no changes in system only thing, this issue started happening for may be iOS 16 updated. We have implemented SSO using Microsoft AD. Things working for all other OS (Windows, Android) except iOS.

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

The same problem encountered with iOS 17 beta 1 and beta 2 is back: Unable to create a secure connection to the server ("bad certificate format" -9,808).

My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application. I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?

Hi Does anyone know why the ‘allowVPNcreation’ restriction available to supervised devices doesn’t apply to third-party apps? This Support page says it should: https://support.apple.com/en-gb/guide/deployment/dep0f7dd3d8/web Thanks

Yesterday, OpenSSH disclosed a critical RCE vulnerability that affects all instances of OpenSSH and released a patch to fix this vulnerability. As a result, do we have any official word from Apple as to when this vulnerability will be fixed? This weakness exposes every macOS device without a strict firewall configured. Reading Link: https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html

I implemented parents to manage their children's apps with FamilyActivityPicker. Then, is there way to get child’s app list without FamilyActivityPicker?

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

Hello, I am testing Configuration Profiles' Passcode policy in an MDM environment. After setting the 'maxFailedAttempts' property to 5 and deploying the Passcode payload via MDM to iPhones, some iPhones are not wiped after exceeding 5 failed passcode attempts. Could you please advise on the possible reasons for this issue? Devices affected: iPhone 11 (iOS 16.4.1), iPhone 12 mini (iOS 16.5).

We have currently a problem with devices managed by Intune repeatedly asking for a new lock code. The problem seems to be a bug in iOS with the interaction of Intune. We have selected "Max PIN Age In Days: 0" for the setting. This has always worked so far. The PIN did not have to be changed as described in the documentation. From yesterday, however, every user was asked to change the PIN. This sometimes happened every minute. The problem has affected 500 devices. Is this a known bug?

Hello, is there any plan to add a new service type for Privacy Preferences Policy Control profile to allow apps deployed via MDM on Organization owned devices to access local network without prompting end user on Sequoia ? This would be very welcome, especially in education world where students are good at finding on how to block the tools they are supposed to use. I created FB14540495 for reference. Thanks !

Model: Apple TV 4K (3rd generation) Wi-Fi & Ethernet 128GB I am an Apple Systems Admin for a school district. A contractor working on new buildings/upgrades for us purchased Apple TVs outside of our Apple account. When attempting to add these Apple TVs to Apple School Manager and enroll them into our MDM (via Apple Configurator 2 version 2.17), i'm running into a few problems. When inputting the Pair Code: -Says “Pairing Failed (-402653161)”--this error code only takes me to Apple Forums that end up answerless -But device still shows up under Paired Devices and in Configurator On Step 3 of 4 when “Preparing Apple TV—Activating TVOS” -An unexpected error has occurred with “Apple TV”. The device is not connected. [ConfigurationUtilityKit.error – 0x25B (603)]--this error code also only points me to Apple Forums for Configurator problems regarding iPads -only option is “Stop” -Appears that Configurator is still working in the background Click Stop (as it is my only option), then Apple TV then disappears from Configurator. Devices appear to be wiping OS/reinstalling OS and then going back to factory default settings. They are not being added to our ASM account. Any ideas?

I am attempting to apply the softwareupdate.enforcement.specific declaration on a device. The first time it is processed it is applied successfully. I then generate a new set of declarations for the device and send a sync command to the device with the new server token. The management.status-subscriptions declaration and the activation.simple declaration are both applied successfully, even though the contain the same content and server token, but a different identifier than the original declarations. For some reason, the softwareupdate.enforcement.specific declaration fails to be applied and the reason is reported as [kSUCoreErrorDDMInvalidDeclarationFailure] New declaration is a duplicate The original softwareupdate.enforcement.specific identifier is not included in the new declaration-items response, only the new identifier. I would expect the device to remove the existing declaration and apply the new one, even if it is a duplicate of a declaration no longer specified for the device. Has anyone else run across this issue?

Currently system extension need to be activate through an .app, and then need to manual allow in System Settings, Privacy and Security Pane with root user password How to install driver extension/system extension without any manual user click and just to install and allow all the permission using script?

The Check-in API is now used for declarative device management in addition to MDM authentication and token updates. We would like to set a different endpoint for DDM requests only than for MDM authentication So is it possible to configure different Check-in API endpoint for MDM and DDM? For example, we would like to split the endpoints as follows Endpoints for MDM authentication and token update yourmdmhost.example.com/checkin Endpoint for DDM yourmdmhost.example.com/ddm-chcekin Check-in API Documentation https://developer.apple.com/documentation/devicemanagement/check-in