I'm using Apple's MDM protocol InstalledApplicationListCommand to get information about installed apps. From iOS/iPadOS 26, the app information obtained by InstalledApplicationListCommand includes information on all apps including system apps (apps that come standard with iOS/iPadOS). https://developer.apple.com/documentation/devicemanagement/installed-application-list-command I want iOS/iPadOS26 to get the same information as the app information I get from the previous iOS/iPadOS, and I want to exclude system apps from the app information I get with the InstalledApplicationListCommand. As a way to exclude system apps, you can use the app ID I'm thinking of a way to exclude anything that starts with "com.apple" (the Identifier key value of the InstalledApplicationListResponse.InstalledApplicationListItem object). As a way to exclude system apps, please tell us whether the above method is appropriate and whether there will be any problems in the future.

Hello folks, I stumbled upon a weird CNContact serialization problem. I use the Contacts framework to update the AIM field, which is one of the instantMessageAddresses within a single Contact. Here is the simplified code I used: func updateAIMFieldOn(contact: CNContact, aimValue: String) { do { guard let mutableContact = contact.mutableCopy() as? CNMutableContact else { logger.error("[CM] Couldn't update contact with aim \(aimValue)") return } var updatedAddresses = mutableContact.instantMessageAddresses updatedAddresses.append(CNLabeledValue(label: "", value: CNInstantMessageAddress(username: aimValue, service: CNInstantMessageServiceAIM))) mutableContact.instantMessageAddresses = updatedAddresses let saveRequest = CNSaveRequest() saveRequest.update(mutableContact) try CNContactStore().execute(saveRequest) logger.verbose("Contact's AIM updated successfully!") } catch { logger.error("Couldn't update contact") } } And after serializing the contact to data, and then deserializing, the contact got two AIM fields with the same value: X-AIM;type=pref:some:part:of_my_aim_value IMPP;X-SERVICE-TYPE=AIM;type=pref:some:part:of_my_aim_value Why does it work in this manner? Is it possible that ":" char causes that? Format of my aim username is {some:part:of_my_aim_value}. I didn't find any information in the docs. Thanks!

We’re using the Apple Developer Enterprise Program for internal app distribution. The Apple ID is a generic one using our domain email, but the Account Holder is a real person with authority in the organization. For the payment method, we plan to use a corporate credit card — but it is issued under a different staff name (e.g. card under Chief, but Account Holder is IT Head). Just want to check: • Is this setup acceptable? • Will Apple reject the enrollment/renewal if the card name doesn’t match the Account Holder? • What’s the best practice in this case to avoid delays or verification issues? Appreciate any guidance or experience from the community. Thanks!

Hi, I’m testing the ClearPasscode MDM command: https://developer.apple.com/documentation/devicemanagement/clear-passcode-command Question: If a user enters the passcode incorrectly multiple times and the device becomes temporarily locked (e.g., “Try again in X minutes”) or reaches “Security Lockout”, can ClearPasscode still be executed successfully while the device is in that state? {'ErrorCode': 5013, 35708 'ErrorDomain': 'MCPasscodeErrorDomain', 35709 'LocalizedDescription': '\xe3\x81\x93...x89', 35710 'USEnglishDescription': 'The passcode cannot be cleared (-1)'} If it depends on conditions (e.g., supervised vs. user enrollment, availability of UnlockToken, network/check-in state), could you clarify which conditions are required? Thank you.

Apple face app is used to fore video calling and chatting and voice calling AP same a what’s app tango etc…

We intend to sell in india markets. In india our tax compliance is GSTIN which is also highlighted in your "Provide tax information for alternative payment options" section. We will not be making any sale outside India and hence are not liable for any tax compliance or withholding of tax outside india. Please guide us on how we should fill the tax forms.

Why is MDM camera restriction designed not to work on the lock screen?

I am having an issue with duplicated SCEP client certificates on an iOS device. We deployed an SCEP profile via MDM, then deleted and redeployed it via MDM. In Settings > General > VPN & Device Management, only one SCEP profile is visible. However, Safari shows duplicated certificates when a server requests a client certificate. We have tried removing the cert profile on MDM and unenrolling the device from MDM, but only the latest certificate got removed, leaving previous ones stuck on the device or in the Safari app. We have found no way to remove these duplicated certificates other than factory reset the devices. This appears to be a potential iOS bug affecting certificate cleanup. We need assistance to resolve this issue. Also, the issue is difficult to reproduce but has happened to a number of our managed devices.

Hello! I’m testing certificate issuance using a locally running Smallstep step-ca ACME server with the device-attest-01 challenge. I’ve created a custom MDM profile for this purpose. When I install the profile, the certificate is issued successfully, but it is not saved to the Keychain as stated in the documentation. I can only see the certificate via mdmclient or in the Wi-Fi settings dropdown menu. Is this expected behavior, or are there additional settings that need to be included in the MDM profile?

Why don't obtain equipment list (https://mdmenrollment.apple.com/server/devices) interface returns "device_family" contour information. This interface only returns some fields, and many field values are not returned

We are experiencing a critical issue where VPP app installations are consistently taking an excessive amount of time, leading to significant delays in asset association. We are deployionThis is a systemic problem that affects all VPP apps, not just an isolated case. Apps: 39470db7-e475-4269-9709-c80641657027 => com.zimride.instant d0876900-2579-463e-99f1-b7c85ef5c5e8 com.microsoft.azureauthenticator Troubleshooting: We have performed extensive troubleshooting and can confirm the following: VPP Token: The VPP token has been successfully renewed and is currently active and valid. License Availability: We've verified that there are sufficient VPP licenses available for the apps being deployed. Device Status: We've attempted the following on the affected devices: Restarted the devices. Switched to different Wi-Fi networks. Uninstalled and re-installed the apps. App Status: The issue is not limited to a single app; all VPP apps are failing to install. License Revocation: We attempted to revoke and reassign licenses for some devices, but this did not resolve the issue. The app was not pushed, and the pending status remained. Troubleshooting: Through our internal investigation, we have determined that the core issue is that the Asset Association Status is consistently taking excessive time. This seems to be preventing the app installation queue from processing. We have observed a significant delay in the processing of events within the Notification Channel. The time between the event being created and a response being received is excessively long, indicating a potential backlog or issue. We have included a few recent examples below for your reference: Event ID: 39470db7-e475-4269-9709-c80641657027 com.zimride.instant Created Time: 2025-08-26 01:02:04 Response Time: 2025-08-26 01:34:05 Event ID: d0876900-2579-463e-99f1-b7c85ef5c5e8 com.microsoft.azureauthenticator Created Time: 2025-08-25 21:16:29 Response Time: 2025-08-25 22:21:07 We would appreciate your help in the following areas: Resolution: Could you provide any known solutions or workarounds for an asset association status that is taking excessive amount of time'? Best Practices: Are there any recommended best practices or additional parameters we should be checking with the MDM that might influence the queueing of VPP app assignments? Queueing Parameters: Could you provide insight into the parameters or conditions that can affect the queueing and processing of VPP app installations on Apple's servers? Please let us know if there is any additional information or logs we can provide.

Hi, I developed a Platform Single Sign-On extension and a corresponding extension for my IdP, which is Keycloak based. The code for both projects are here: https://github.com/unioslo/keycloak-psso-extension and https://github.com/unioslo/weblogin-mac-sso-extension I realized that, when using the Secure Enclave as the AuthenticationMethod, and according to Apple's documentation, the Extension doesn’t obtain fresh ID Tokens when they expire if the refresh token is still valid. When using password as the Authentication Method, it fetches new ID tokens when they expire, without prompting the user for credentials, by using the refresh token. My suggestion is that the same behavior should be implemented for Secure Enclave keys. The thing here is that usually, on OIDC flows, the ID/Access tokens are short-lived. It would make sense for the extension to provide fresh ID tokens. It doesn’t seem to make sense for me that, when using passwords, the extension would fetch these tokens, and not when having the Secure Enclave key. By not doing this, Apple almost forces the developer of an extension to fetch new ID tokens themselves, which doens’t make sense when it clearly provides fresh tokens when using passwords. It almost forces the developers to either implement that logic themselves, or to issue longer tokens, which is not so nice. How so you deal with this? Do you simply use the refresh token as an authentication token, or do you do some sort of manual refresh on the extension?

Downloaded screensavers not appearing in 4KSDR240FPS folder

I have a question regarding MDM functionality for iOS/iPadOS. Background: According to Apple's support page(https://support.apple.com/en-us/125073), since iOS 26.1, "Previous Wi-Fi configurations will be replaced when a new profile is installed." We have observed that because of this change, when we apply a Wi-Fi configuration profile to an iPad via MDM, the manually configured network settings on the device (specifically, "Configure IPv4" and "Configure DNS") are reset to "Automatic". This erases the manually entered IP address, subnet mask, router, and DNS server addresses. Goal: We want to apply a Wi-Fi configuration profile from our MDM server to connect the device to a specific SSID, while preserving the manual IP and DNS settings that have been configured on the device. Question: Is there a way to prevent the IPv4 and DNS settings from being switched from "Manual" to "Automatic" when applying the configuration profile? For example, is there a specific key-value pair we can add to the profile to either preserve the existing manual settings, or to explicitly define manual/static IP settings within the profile itself for iOS/iPadOS? Reference: Sample Configuration Profile Below is a simplified version of the Wi-Fi configuration profile we are currently using. This profile does not contain any keys for IP address configuration. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadIdentifier</key> <string>com.apple.wifi.managed.13E2E6B3-D4B9-4E23-888A-524B3ED40C38</string> <key>PayloadUUID</key> <string>13E2E6B3-D4B9-4E23-888A-524B3ED40C38</string> <key>PayloadVersion</key> <integer>1</integer> <key>SSID_STR</key> <string>SSID</string> <key>EncryptionType</key> <string>WPA</string> <key>Password</key> <string>Password</string> </dict> </array> <key>PayloadType</key> <string>Configuration</string> </dict> </plist>

Hi Apple Community, At WWDC25, introduced a native device migration feature with iOS/macOS 26 and Apple Business Manager that promises seamless migration from one MDM to another without wiping devices or manual re-enrollment. That said, while testing this in iOS/macOS 26 beta, we ran into an issue: the Wi-Fi settings deployed by the old MDM aren’t retained during the migration. This means devices lose Wi-Fi connectivity partway through, and users have to manually reconnect before the migration to the new MDM can continue. This interrupts what should be a smooth, hands-off process. We wanted to ask if this is a known issue or limitation with the current beta? Are there any recommended ways to avoid losing Wi-Fi profiles during this migration window? Will this improve in future updates so that the Wi-Fi connection is preserved or seamlessly handed off to the new MDM? Any tips, workarounds, or official guidance Apple can share on best practices for handling Wi-Fi profiles during ABM-native device migrations would be hugely appreciated. Added Feedback with FeedBackAssistant ID : FB20150763 Thanks in advance.

Can I upload custom app onto the ABM? if yes then how can we install it into the user's devices?

I have come across this Hideable attribute for managed apps, introduced in iOS 18.1, and I've encountered some behavior that seems to contradict the official documentation. According to Apple's documentation for app.managed.yaml, setting the Hideable key to false under the Attributes section should prevent a user from hiding the app. The documentation explicitly states: If false, the system prevents the user from hiding the app. It doesn't affect the user's ability to leave it in the App Library, while removing it from the Home Screen. I have configured this in my app.managed.yaml and successfully applied the profile to my test device via our MDM server. However, I am still able to hide the application from both the Home Screen and the App Library. Here are the steps I'm taking to hide the app: Long-press the app icon on Home Screen Select "Require Touch ID" Select "Hide and Require Touch ID" Authenticate using Touch ID Select "Hide App" After these steps, the app is no longer visible on the Home Screen or in the App Library, which is contrary to the behavior described in the documentation for when Hideable is set to false. My question is: Is this a known issue or a potential bug in iOS 18.1? Or, is there an additional configuration profile or a specific device supervision requirement that I might be missing to enforce this restriction correctly? Any clarification would be greatly appreciated! Thank you!

Dear Team, We are working on retrieving email address of the user joined to Entra ID from Entra-joined macOS devices, specifically while running in a system context.The sudo dscl . -read /Users/$(whoami) RecordName command give the local user name whose password is synced with the entra ID. We would greatly appreciate guidance on how to retrieve the Entra ID joined user’s email address in a system context from Entra Joined mac devices, especially from those with prior experience in this area. Thank you for your support.

Hi Team, As per this documentation Handling NotNow Status Responses | Apple Developer Documentation, the last command that is delivered to the device on a connection should be the one that the device reported NotNow so that the device will automatically retry when it is ready to consume commands. Our question is it possible to have a fixed command which we can try at the end once all commands are tried and if device has reported NotNow for any of the commands. E.g. If there were 3 commands delivered to the device one by one SSO profile (com.apple.sso ) was delivered and device reported NotNow VPN profile (com.apple.vpn.managed) was delivered and the device reported NotNow DeviceInformation command was delivered and the device reported Acknowledged. As there were NotNow responses earlier, can we try a certificate profile(com.apple.security.pkcs1), with a dummy certificate payload, to ensure that the last command delivered to the device in this connection is responded with NotNow. Questions: Can we use a fixed command e.g. certificate profile(com.apple.security.pkcs1) as in above example to ensure the last command delivered to the device has NotNow response. Or is it better to try one of the commands which the device reported NotNow earlier. As in above example should we try the SSO or VPN profile at step 4 instead of the certificate profile? Following up to above, when a device reports NotNow for any profile installation command, can we say it will always report NotNow for certificate profile(com.apple.security.pkcs1) as well for all iOS and MacOS devices?

We've disabled FUS through a config profile, but users can still access FUS by enabling the MenuBar/Control Center icons. My org would like to prevent access to FUS so I've created a config profile. But the profile doesn't seem to work. Anyone have any ideas what I'm missing, or is this an OS bug? <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadDisplayName</key> <string>macOS - Tahoe - Disable Fast User Switching Control Center</string> <key>PayloadIdentifier</key> <string>com.myorg.fast-user-switching</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadUUID</key> <string>f1a2b3c4-d5e6-7890-abcd-ef1234567890</string> <key>PayloadVersion</key> <integer>1</integer> <key>TargetDevmyorgType</key> <integer>5</integer> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.controlcenter</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.controlcenter.57EBEF9E-E568-411E-AE27-500AD98C94F4</string> <key>PayloadUUID</key> <string>f1a2b3c4-d5e6-7890-abcd-ef1234567890</string> <key>UserSwitcher</key> <integer>8</integer> </dict> <dict> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>.GlobalPreferences.71DE1486-60BC-4CB9-890D-AD50A772890D</string> <key>PayloadUUID</key> <string>c5234012-e0sw-2066-6fl8-3bd5p8125op7</string> <key>MultipleSessionEnabled</key> false/> </dict> </array> </dict> </plist>