When using the SoftwareUpdateEnforcementSpecific to target an update to iPad OS 18.7.1, will the update be triggered to be downloaded immediately after the iPad has an active Internet connectivity? Or, if the SoftwareUpdateSettingsAutomaticActionsObject download string is set to AlwaysOff, will this mean that the update enforced will not start downloading automatically, but only when the user decides? I am trying to understand how these two can be combined together or if they work independently, as while trying to enforce a specific version, we need to eliminate the possibility to download an iPad OS version using cellular data, as our devices have an eSIM installed and the cost of using that for the iOS updates will be quite high. Maybe there is a setting to only allow the iOS updates to be downloaded via Wi-Fi. Thanks!

There is a longstanding restriction payload for supervised iOS devices that disables "Erase All Content and Settings." We have been experimenting with supervised watches paired with supervised phones that have that payload applied, and yet "Erase All Content and Settings" remains available on the watch. Is this: – a) An error with our payload? Should we be sending something else? – b) A bug in watchOS supervision? – c) A deliberate design choice? If so, what is the rationale for preventing organizations from maintaining this very basic level of control over devices they may be configuring and dispatching into the field?

I'm writing to point out a potential structural error in an example of the DeclarativeManagement command. This could cause significant confusion for developers implementing the MDM protocol. The standard structure for a server-to-device MDM command requires CommandUUID and the Command dictionary to be siblings under the top-level dictionary. The CommandUUID serves as a top-level identifier for the entire command envelope. This is the correct, expected structure: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>Command</key> <dict> <key>RequestType</key> <string>DeclarativeManagement</string> </dict> </dict> <key>CommandUUID</key> <string>0001_DeclarativeManagement</string> </dict> </plist> This is an example of the incorrect structure I've seen: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>CommandUUID</key> <string>0001_DeclarativeManagement</string> <key>Command</key> <dict> <key>RequestType</key> <string>DeclarativeManagement</string> </dict> </dict> </dict> </plist>

Why don't obtain equipment list (https://mdmenrollment.apple.com/server/devices) interface returns "device_family" contour information. This interface only returns some fields, and many field values are not returned

In iOS 26.1 beta 4, under MDM restrictions that disable the camera via a configuration profile, the Camera and FaceTime apps are hidden as expected. However, other third-party apps can still access and use the camera function normally. This is unreasonable.

We are expering frequent delays recently when associating a device serial with the adamid of an app in our business manager account. I get an event id back when calling the /associate api but when i check the status of that event id is can be sat in a pending state for sometimes several hours. Need to understand why and if its a configuration issue

I am needing to access the ABM API via C#. Searching has directed me to use BouncyCastle. I have downloaded the PEM file. However, using the following: using (var reader = File.OpenText(pemFilePath)) { var pemReader = new PemReader(reader); var keyObject = pemReader.ReadObject(); I get the error "problem creating EC private key: System.NullReferenceException: Object reference not set to an instance of an object."

Hi team, We need to identify the domains used by macOS Software Update so they can be bypassed by our NETransparentProxy. The Apple support article below lists Software Update and several other Apple service domains. At the moment we’re unsure whether we should only bypass the Software Update and Beta Software domains, or whether we also need to bypass domains used for certificate validation, device management (Apple Business Manager / Apple School Manager / Apple Business Essentials), network provider updates, Apple Diagnostics, etc. We also need the specific IP ranges used exclusively by Software Update. The document shows Apple’s entire IP range; for IPv4 you can allow outbound connections to 17.0.0.0/8. https://support.apple.com/en-in/101555

We use Device Management Profile to restrict all apps from using camera on unsupervised devices. It works fine until iOS 26.1 beta. In iOS 26.1, only the camera icon is removed from Home screen, the third party apps can still use camera. In our scenario, the camera of employees' iPhones are disabled when they enter the factory and are restored when they leave. According to the documentation, disabling camera on unsupervised devices is deprecated. But supervision is not feasible option because these iPhones are owned personally by employees. Is there any new solution for camera restriction on unsupervised devices? Thanks.

Target Device: iPhone 13, iOS 18.5, enroll to MDM by enrollment profile Command: Response: Anyone could help?

I work at a school in NYC and have a software idea that could better support the new NYC phone ban law than current market options (i.e. Yondr pouches). Right now at my school, students and staff scan a QR code upon entering the building to indicate that they are in the building. They scan again on the way out to indicate they've left the building. This is super helpful for attendance, particularly in emergency situations (fire drills, etc). Imagine if when students scanned their QR code, it also activated an app similar to Opal or ScreenZen, but with an admin preset whitelisted apps. The idea is that this app would default deny access to all apps on students' phones except the admin preset whitelisted ones such as Phone, Calculator, etc. Depending on the age/needs of the student, other apps like Spotify, or medical apps could also be whitelisted. My question is -- is this idea possible to create? We would need admin preset controls to create the preset whitelist. We can't have students picking their own restrictions, as we know most would opt to not restrict at all. We would need an admin dashboard so teachers/admin can see which students have activated the app in the building, and which may be trying to sneakily avoid it. We would ideally need to be able to whitelist both system apps like Phone and Calculator, as well as non-system apps such as Spotify (and medical apps -- we have some students who manage/monitor their Diabetes with an app). I don't have a background in software. I'm a math and health teacher. I've experimented with trying to have friends who majored in CS to create this app for me, but they've all either struggled/lost interest. So I'm also looking for a business partner in this venture. If anyone has any guidance here, it would be so helpful! My boss (Head of School) is super interested in this idea and significantly prefers it to every other alternative that he has encountered. The problem is this idea does not exist yet! Note: I know this is a super similar idea to the app and product "Brick". Notably, though, Brick does not have the ability for admin preset controls, or the admin dashboard. We reached out to the company to see if they're create this for us and they said it's a back burner idea that they're aware of, but it's not a priority for them right now. Thank you for any guidance!

We are facing an issue with Platform SSO registration on macOS devices for AD-bound user accounts with Microsoft EntraID configuration. We are using the Platform SSO payload on macOS devices integrated with Entra ID, and it works as expected — registration completes successfully, and the password syncs with the Entra ID password. However, when we try the same on macOS devices with AD-bound (mobile) user accounts, the registration does not complete. To elaborate, the process successfully completes the initial WebView authentication but fails at the stage where Apple prompts for the password to sync the local macOS user’s password with the Entra ID password. It does not display any error, and even after entering a valid password, the process does not proceed further. However, when we try the same on a non-AD user account, it works fine. We have checked with Microsoft, and they confirmed that there are no restrictions on their side for AD-bound accounts. Since the issue appears to occur at the Apple system level, they advised us to reach Apple teams on this. Could you please check and let us know how we can proceed with this? Payload used: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>ExtensionIdentifier</key> <string>com.microsoft.CompanyPortalMac.ssoextension</string> <key>PayloadDisplayName</key> <string>Extensible Single Sign-On Payload</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.B408A658-3DAF-41FF-8A5D-AE77B380CB7B</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>D506CAFD-C802-41F2-9C3E-DF5289C315FF</string> <key>PayloadVersion</key> <integer>1</integer> <key>PlatformSSO</key> <dict> <key>AccountDisplayName</key> <string>EntraID</string> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableCreateUserAtLogin</key> <true/> <key>LoginFrequency</key> <integer>3700</integer> <key>LoginPolicy</key> <array> <string>AttemptAuthentication</string> </array> <key>NewUserAuthorizationMode</key> <string>Admin</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Admin</string> </dict> <key>ScreenLockedBehavior</key> <string>DoNotHandle</string> <key>TeamIdentifier</key> <string>UBF8T346G9</string> <key>Type</key> <string>Redirect</string> <key>URLs</key> <array> <string>https://login.microsoftonline.com</string> <string>https://sts.windows.net</string> <string>https://login.partner.microsoftonline.cn</string> <string>https://login.chinacloudapi.cn</string> <string>https://login.microsoftonline.us</string> <string>https://login.microsoft.com</string> <string>https://login-us.microsoftonline.com</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Platform SSO</string> <key>PayloadIdentifier</key> <string>42GBHOLAP04621.1BD5B6D9-640B-4DC3-9275-56DDD191A5FB</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>58548FC6-38D9-4B28-9EDF-BEEAB03BAB23</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

I desperately need help with this issue. Are there any known issues regarding MDM profiles not installing on iPhone 17? Too many cases are being reported.

Details: Device: iPhone 12 Pro Max System: iOS 26.1 beta 2 Issue Description: When testing MDM device restriction capabilities on iOS 26.1 beta 2, I found that the allowCamera restriction does not work as expected. Observed Behavior: • On a BYOD device: When allowCamera is set to false, the Camera and FaceTime apps disappear from the Home Screen, as expected. However, third-party apps (such as WeChat) can still access the camera and take photos. • On earlier versions (e.g. iOS 26.0.1): Setting allowCamera to false correctly blocks all apps, including third-party apps, from accessing the camera. Initially, I assumed Apple might have changed this restriction behavior so that allowCamera only applies to supervised devices. However, after testing on supervised devices, I found that even there, when allowCamera is set to false, the Camera and FaceTime apps are hidden, but third-party apps can still use the camera. This indicates that the restriction is not functioning correctly in iOS 26.1 beta 2. Expectation: When allowCamera is set to false, all camera access — including third-party apps — should be blocked. Request: Could someone from Apple’s development or MDM team confirm whether this is an expected behavior change or a potential bug in iOS 26.1 beta 2?

Details: Device: iPhone 12 Pro Max System: iOS 26.1 beta 2 Issue Description: When testing MDM device restriction capabilities on iOS 26.1 beta 2, I found that the allowCamera restriction does not work as expected. Observed Behavior: • On a BYOD device: When allowCamera is set to false, the Camera and FaceTime apps disappear from the Home Screen, as expected. However, third-party apps (such as WeChat) can still access the camera and take photos. • On earlier versions (e.g. iOS 26.0.1): Setting allowCamera to false correctly blocks all apps, including third-party apps, from accessing the camera. Initially, I assumed Apple might have changed this restriction behavior so that allowCamera only applies to supervised devices. However, after testing on supervised devices, I found that even there, when allowCamera is set to false, the Camera and FaceTime apps are hidden, but third-party apps can still use the camera. This indicates that the restriction is not functioning correctly in iOS 26.1 beta 2. Expectation: When allowCamera is set to false, all camera access — including third-party apps — should be blocked. Request: Could someone from Apple’s development or MDM team confirm whether this is an expected behavior change or a potential bug in iOS 26.1 beta 2?

Before iOS26.1, allowCamera set false, all app can't use camera. On iOS26.1, allowCamera set false, removes camera icon from the Home Screen, but third app can still use camera, such as Safari and other apps that can call camera. Is it a bug or a new features？

After applying the MDM camera restriction on iOS 26.1 beta 2, the camera availability status is reported incorrectly. After applying the MDM camera restriction [UIImagePickerController isSourceTypeAvailable:UIImagePickerControllerSourceTypeCamera] return YES

Hi there, We’re testing Declarative Device Management (DDM) for VPP app management and followed the latest declaration template here: https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/app.managed.yaml Our goal is to enable VPP auto-updates via the declaration. The payload we’re using looks like this: "AppStoreID": "1231325957", "InstallBehavior": "{\"Install\": \"Required\", \"License\": {\"Assignment\": \"Device\"}}", "UpdateBehavior": "{\"AutomaticAppUpdates\": \"AlwaysOn\"}" } What we’re seeing Device A (no Apple ID signed into App Store): User can manually update the VPP app with the above declaration in place. ( The same user cannot update the app if UpdateBehavior is not in the declaration payload. Device B (Apple ID signed into App Store, and the same Apple ID doesn't have the above app purchased): User cannot manually update the same VPP app. The App Store shows the error seen when UpdateBehavior is absent: “ cannot be updated because it was refunded or purchased with a different Apple Account.” Also, in this case, the user has no way to purchase the (free) app by their own as the app shows as owned/managed by MDM server. We have to remove the declaration, let the user purchase the same app, then re-deploy the declaration to allow the user to click that "Update" button when a new version for that app is available. Additionally, we’re unsure about the criteria/timing for automatic VPP app updates under DDM. After a new version became available, we waited several hours but the app did not auto-update. Repro summary App: VPP, device-assigned license Declaration: AutomaticAppUpdates = AlwaysOn, install required Device A: not signed into App Store → manual update allowed Device B: signed into App Store → manual update blocked with “refunded/different account” error Auto-update did not occur after waiting several hours post-release Any guidance, confirmation of expected behavior, or tips on additional logging we should collect (e.g., specific App Store / MDM / DDM logs and subsystems) would be greatly appreciated. If this is a known issue or requires a Feedback Assistant report, we’re happy to file one. Thanks,

I need to verify my domain for Apple Pay but I'm on Shopify. Domain: blissta.co File IS accessible: https://blissta.co/.well-known/apple-developer-merchantid-domain-association But verification fails because it's a redirect, not direct hosting. Shopify doesn't allow .well-known folder creation. Has anyone solved this? Need either: Way to make Apple accept redirects Shopify workaround for direct file hosting Manual verification from Apple Using Authorize.net gateway. Case #102711828925

On iOS 26, if in "Single App Mode", the device gets stuck on the lock screen. Devices are configured in SAM (kiosk mode), without a PIN requirement. Since updating to iPadOS 26, every single device that locks (goes to sleep) becomes completely unresponsive at the lock screen. Touch input does not work. The only way to regain access is to reboot the device, which will boot to the SAM app, but then lock again if it goes to sleep. Related discussion in the public forums.