Recently, we have encountered some users who have been unable to open the enterprise signature application after upgrading to version 18.3.2, without an IPS file. Through system logs, we found that signature verification has occurred SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_pub_crypt failed, ccerr=-7" UserInfo={numberOfErrorsDeep=0, NSDescription=rsa_pub_crypt failed, ccerr=-7} Waiting for the information, I will provide the obtained system logs below. The application package name that crashed is com. mobile. moa aa.txt new

Hello, I have implemented my virtual meeting extension and my application shows no issues in the calendar application, with a join button displayed. Everything is great!. However, with the help of EKEventEditViewController and EKEvent instances, when creating an event from the main target of the application using EventKitUI, the event will not be displayed as a virtual meeting. I have seen that other applications like Zoom have already implemented this, and I find it difficult to find relevant documentation on how to link events created by the program to virtual meetings. How do I set an event as a meeting when I want to add it to the main program? In addition, the function in the VirtualConferenceProvider.swift file of the extension program fetchVirtualConference(identifier: EKVirtualConferenceRoomTypeIdentifier, completionHandler: @escaping (EKVirtualConferenceDescriptor?, (any Error)? ）->Void) How are the parameters in this function obtained? It's impossible for every conference related link to be the same

I found that "search" endpoint is recently added to api.ent.apple.com : https://developer.apple.com/documentation/devicemanagement/get-catalog-search-results However it seems we cannot find custom apps using this API even with sToken. Is it not suppoted yet? Thank you

Is there any mechanism to restrict camera usage on a user-owned device, once they have opted in, consented to the restriction, and installed a management profile? Documentation suggests it was possible with allowCamera, but has be deprecated on unsupervised devices. Am I understanding correctly that it's simply not possible anymore unless the device is supervised?

When I try to sign in Managed Apple ID in supervised device there appears a prompt stating that "Apple ID" is a work account.This account must be signed in as a work account on this device.When I click continue it takes to VPN and device management tab where MDM profile already exists. Note:The managed Apple ID has a ICloud subscription for it. When I remove the subscription for the Apple ID and try to sign in, it works. Kindly help on this or advise on any additional steps required to enable sign in for managed Apple ID in this scenario

short version question: why some users after deleting and downloading back my in-house app, cannot start the new process for approving developer, but instead it tries to start and then crashes immediately? long question version I am maintaining an in-house distributed enterprise app. due to update in iOS 18 update here users need to trust the developer via a new procedure that involves restarting device and inserting the phone code. after thousands (more or less 30.000) of users with no issue at all, some of them has this problem, the old (expired)trust seems to be persistent and never updated. Standard events a user deletes the app via settings > general > VPN & device management or via classic persistent touch procedure checks no other presence of the app is on the device via spotlight. since it is the only app with "MyDeveloperName" on the phone, if users goe back to VPN & device management screen, no app or developer will be present. user downloads new version of the app. If taps directly on the icon there is a system alert with says the developer must be trusted. a this point in settings > general > VPN & device management you can find a line with developer name, tapping on it we find a screen where user finds a white button with BLUE message "authorize MyDeveloperName" and follows procedure. My issue is that some users get following different behavior, and I do not understand why: ❌ tapping on downloaded app icon: no alert, but app tries to start then crashes. ❌ going in VPN & device management screen there is only RED write button "delete app" in both paths, working and not working, the app results "verified" in VPN & device management screen (Apple says old authorizations are preserved.)

When an iOS 26.0 device is prepared in supervised mode, wifi connection screen is showing when the device is restarted. This wifi connect appears always on restart. I have tried using Apple Configurator GUI and Command line (cfgutil) command. In both cases, The behavior Wifi screen is showing up on restart for supervised mode. Cfgutil command: cfgutil -C {Certificate} -K {Key} prepare --supervised --name {NAME} --host-cert {Certificate} --skip-all Note: In non-supervised mode and other iOS, the wifi screen is not showing. Apple Configurator version: 2.18 iOS version: 26.0 Device model: iPhone 11 and above. Anyone else facing this issue? Any help is super appreciated.

We are currently working on a SCEP server implementation that operates in FIPS-approved mode. In this mode, RSA PKCS#1 v1.5 encryption is disallowed due to compliance requirements, and only FIPS-approved padding schemes such as RSA-OAEP are permitted. However, we have observed that the SCEP client functionality on Apple devices currently does not support RSA-OAEP for CMS EnvelopedData decryption. This creates a challenge for us in ensuring FIPS compliance while maintaining compatibility with Apple devices during certificate enrollment through SCEP. We would appreciate your guidance on the following: Are there any alternative FIPS-approved encryption algorithms or configurations supported by Apple devices for SCEP CMS EnvelopedData decryption? Is there any plan or timeline for future support of RSA-OAEP on Apple platforms for this use case? Feedback raised along with sysdiagnose logs as well : FB17655410

Hello All, I am currently attempting to get application config working with enterprise apps but it seems as though the asset config is not applying at all. While the asset and application install correctly it does not seem that the config is read at all judging from the status message returned. "StatusItems" : { "app" : { "managed" : { "list" : [ { "name" : "apps", "config-state" : { "app-config-state" : { "state" : "unknown" } }, "identifier" : "app.identifier", "version" : "3.2", "short-version" : "3.2.0", "state" : "managed", "declaration-identifier" : "dec-identifier" } ] } } }, "Errors" : [ ] } The asset file being sent down is as follows: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Config 1</key> <string>Value 1</string> <key>Config 2</key> <string>Value 2</string> <key>Config 3</key> <string>Value 3</string> </dict> </plist> This is the config report being sent back by the device after everything has been fetched: "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "group.activation.payload", "valid" : "valid", "server-token" : "56792E4AE25C3286640B45E6BD265AE97545B2B87F90A6355919FD8B2E3C3AB3" } ], "configurations" : [ { "active" : true, "identifier" : "app.install", "valid" : "valid", "server-token" : "34D7ACECAE16EE9EEAC0630FF2FF85524FFBB5BA3CB18CFB6296FBC860368C85" }, { "active" : true, "identifier" : "ios.policy.subscription.list", "valid" : "valid", "server-token" : "376913E11BE7D26EC745B3B68C6FA94C4FC061B1B736D143EBE0F12FF73ADFF8" } ], "assets" : [ { "active" : true, "identifier" : "app.config.reference", "valid" : "valid", "server-token" : "1CFBE30EB56309005F742D667B80242E6A3CDC08ED228D0BC5F87749C6BBAB77" } ], "management" : [ ] } }, "app" : { "managed" : { "list" : [ { "state" : "downloading", "declaration-identifier" : "app.install", "identifier" : "app.identifier", "name" : "apps", "config-state" : { "app-config-state" : { "state" : "unknown" } } } ] } } }, "Errors" : [ ] } Additional info would be useful, though a sysdiagnosis will be submitted to feedback as well. Config did apply correctly when sending down through Install application command

Hello All, I am currently developing a mobile management system using declarative management and for the most part it is pretty great. There is one consistent issue I have run into and it comes when testing VPP app installs with not enough licenses. When my server detects that it can't provide a license ID it will return a 404, which causes the rest of the DM syncing to stop, and the activation to throw an error. Per the documentation for using simple activation: An array of strings that specify the identifiers of configurations to install. A failure to install one of the configurations doesn’t prevent other configurations from installing The above would imply that if a config fails it should not affect anything else (aside from possibly reporting an error. Am I returning the wrong error code for it to continue or is the behavior correct and the documentation is wrong? Any additional info would be useful

Hello All, I come to ask a question that I haven't been able to find the docs. I continue to work on implementing declarative management and while working there is a question/concern I have. I have noticed that during some destructive testing, if the device is attempting to fetch a configuration and the server responds with a 503 (or any server related error) then the device will wipe all configurations and attempt to reapply them. Is there any way to prevent this by intercepting status codes or would the only real solution be to force down a temp/test config if the real config can't be fetched from the server?

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

"To receive payments from Apple, you must add a bank account." As an Apple "Individual" developer, can I accept payments to my corporate card?

Hello, We are working with an iOS app that is distributed as a Public Unlisted App Store app. Our MDM allows us to import the app by URL, but when added this way, the app is marked as unmanaged in the inventory. Because of that, we cannot assign a Managed App Configuration payload to it in the normal way. What we are trying to achieve: Deliver a configuration profile to all enrolled devices before the app is installed. When the user installs the app from the MDM catalog, the app should immediately see the configuration values. Questions we’re hoping to clarify: Is it technically feasible to pre-provision a Managed App Configuration for an app in this scenario, by pushing a .mobileconfig profile to all devices? If yes, what would be the correct payload format and content of such a .mobileconfig file? We’ve tested a profile format we found here that uses com.apple.managed-app-config PayloadType and a ManagedAppConfiguration key with the bundle ID nested inside, but iOS reports this as “payload not recognized.” From what we understand, that may not be part of Apple’s schema. Any guidance from Apple or the community on whether this use case is possible (and, if so, what the valid profile format should look like) would be very helpful. Note: For a complicated company policy, at the moment we are not able to participate in ABM. Thanks in advance!

Hello world! First post here. Developing my first app. It primarily targets supervised and MDM managed devices. A few questions: For supervised devices, is serial number available? I want to get the number and use it for app auto activation Is MDM required for supervised devices? Or, as long as a device is enrolled through Apple Business Manager? Which capacity shall I request for the app? Thanks so much!

how to contact 酷

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

We are going to replace our iPhone SE to iPhone 16e. The issue is that we are unable to install an in-house app on the new iPhone 16e. The app works on the iPhone SE Both phones run on the same iOS version (18.5) Has anyone else experienced the same issue? I initially thought the iPhone 16e was the successor to the iPhone SE

Summary: When applying a configuration profile that uses allowListedAppBundleIDs to permit a defined set of apps, essential Apple Watch apps are unexpectedly removed from the paired Watch — even though their associated iPhone bundle IDs are explicitly included. This issue occurs with a minimal profile, and has been consistently reproducible on the latest versions of iOS and watchOS. Impact: This behavior severely limits the use of Apple Watch in managed environments (e.g., education, family management, accessibility contexts), where allowlisting is a key control mechanism. It also suggests either: Undocumented internal dependencies between iOS and watchOS apps, or A possible regression in how allowlists interact with Watch integration. Steps to Reproduce: Create a configuration profile with a Restrictions payload containing only the allowListedAppBundleIDs key. Allow a broad list of essential system apps, including all known Apple Watch-related bundle IDs: com.apple.NanoAlarm com.apple.NanoNowPlaying com.apple.NanoOxygenSaturation com.apple.NanoRegistry com.apple.NanoRemote com.apple.NanoSleep com.apple.NanoStopwatch com.apple.NanoWorldClock (All the bundles can be seen in the Attached profile) Install the profile on a supervised or non-supervised iPhone paired with an Apple Watch. Restart both devices. Observe that several core Watch apps (e.g. Heart Rate, Activity, Workout) are missing from the Watch. Expected Behavior: All apps explicitly included in the allowlist should function normally. System apps — especially those tied to hardware like Apple Watch — should remain accessible unless explicitly excluded. Actual Behavior: Multiple Apple Watch system apps are removed or hidden, despite their iPhone bundle IDs being listed in the allowlist. Test Environment: iPhone running iOS 18 Apple Watch running watchOS 11 Profile includes only the allowListedAppBundleIDs key Issue confirmed on fresh devices with no third-party apps Request for Apple Engineering: Please confirm whether additional internal or undocumented bundle IDs are required to preserve Apple Watch functionality when allowlisting apps. If this behavior is unintended, please treat this as a regression or bug affecting key system components. If intentional, please provide formal documentation listing all required bundle IDs for preserving Watch support with allowlisting enabled. Attachment: .mobileconfig profile demonstrating the issue (clean, minimal, reproducible) Attached test profile = https://drive.google.com/file/d/12YknGWuo1bDG-bmzPi0T41H6uHrhDmdR/view?usp=sharing

I am a developer distributing an enterprise app. Recently, some users have intermittently encountered an error message on iOS 18.5 stating: "Unable to install this app because its integrity could not be verified." While the issue could not be reproduced on iPhone 15 / iOS 18.5, we have received reports that it does occur on the following devices: iPhone 14 / iOS 18.5, iPhone 14 Pro / iOS 18.5, iPhone 14 Plus / iOS 18.5, iPhone 16 Pro Max / iOS 18.5, Are there any known issues or recommended solutions regarding this behavior? Thank you in advance for your assistance.