I am a developer distributing an enterprise app. Recently, some users have intermittently encountered an error message on iOS 18.5 stating: "Unable to install this app because its integrity could not be verified." While the issue could not be reproduced on iPhone 15 / iOS 18.5, we have received reports that it does occur on the following devices: iPhone 14 / iOS 18.5, iPhone 14 Pro / iOS 18.5, iPhone 14 Plus / iOS 18.5, iPhone 16 Pro Max / iOS 18.5, Are there any known issues or recommended solutions regarding this behavior? Thank you in advance for your assistance.

I registered in this summer, uploaded 2 apps. But recently I decided to add iAP to my apps, everything is ready, in Xcode sandbox everything works fine, but when I uploaded new version to TestFlight to test, when I tap on the subscription it says something like "Product not found". (I have added subscriptions to the app, and added them to the version before submitting, also, this version is in status "awaiting developer release" so I can tap a button and this new version with iAPs will be on App Store. But im unsure what to do, because exactly this verified by Apple's version is not working in TestFlight.) In Business section of my Apple Developer Account in Agreements I only have agreement of free apps, but not about the paid apps. 
When I registered I used my (R)(us)sian passport, I think this is the reason that I simply don't even have the agreement of paid apps to accept it. 
I have multiple passports, and multiple EU debit cards. I emailed apple to change the location of my account (to another EU country), but they ghosted me. They sent me emails to upload documents about 4 or 5 times, every time I uploaded my another passport, got an auto email "thank you, we will write you in 2-3 days", but either they did not write me, or they said that the document is not in English (it isn't). 
What do I do? Also, to my situation, someone of my family has a company in (R)(us)sia, and I have in EU (Estonia). Maybe if nothing will work out with "Individual account", I should change to my company? And what is better EU or (R)(us)sian? 
Im new to this community, hope to hear an answer, or just an advice. Thank you!

We are trying the renewal the apple Enterprise program. It asks set of questions after that it shows the below message "Thank you for your request to renew your membership in the Apple Developer Enterprise Program. We’ll review your submission and get back to you shortly to let you know if we can process the renewal or if another program better serves your organization’s needs." We have submitted for review for over two months now. During these two months, we have contacted the official customer service multiple times, only to be told to wait for news. Now, with only a few days left, The status hasn't changed, neither approved nor rejected，what should we do？This account is very important to our company. Thank you

The Center for Innovation in Education created a reading program designed to teach every single child to read, regardless of any supposed difficulty in learning. The Center conducted a ten-year study of its Reading Program’s effectiveness. Over those ten years, the Center placed 2,048 Reading Program kits in classrooms across America. More than 300,000 children took part in the Center’s study. Results: The Reading Program taught every single child to read in every single classroom, every single year, regardless of any child’s supposed reading readiness - including dyslexic, autistic, and even Down syndrome children. No failures then or in any of the many years that have followed. Despite the Program’s success, educational publishers refused to publish it. Their refusals will be explained and hopefully counteracted in a book that is scheduled to be published in 2026. In response to publishers’ refusal to make the program available, the Center made it available as a free download from its website. The Center also made its program available as 14 free iPad apps. While the apps can be searched for individually by their unique names, since the apps are interrelated and meant to complement one another, the first keyword assigned to all 14 apps was the same. That same keyword is still in its first position for every app. The first keyword listed for each of the 14 apps is the word “Dekodiphukan”. That meant-to-be hard-to-read search word has worked well every year since the apps were introduced. However, in June of this year, that search term could find only 1 of the 14 apps. We reported this problem to Apple Support on June 26th. It is now November, and the problem remains unresolved. The only response we receive each time we ask for an update on the resolution of this problem the answer every time is: Reported search issues of this type require extensive review by Apple to determine whether it is valid and to confirm the appropriate action. There is no other response. No update has ever been sent to us. There is no phone number I can find to call. It was suggested to me by someone I spoke with in a different department at Apple Developers that I post my problem on the Developer Forum, in hopes that someone here can provide a suggestion for a way around this problem. Parents and teachers wishing to use our Reading Program with their children should not have to enter 14 different names to access our Reading Program.

May I know the checking mechanism for the ios Provisioning profile? Is my Apple app distributed by MDM inside the organisation? If the Provisioning profile is expired , what is the behaviour when user run the App and how to perform the checking mechanism , is it performed at user client side device or Apple server via online access.

Platform SSO not working on macos devices for zscaler application other app like safari / chrome working well. Need help from apple expert on the same. Environment : IDP : Entra ID MDM : Omnissa Workspace one UEM platform : macOS

Hi There Our app is used in the hospital field and receives remote APNS via the Notification Service Extension. We found a scenario where screen is on, our app is in background, if a "Critical" notification is displayed as a banner at the top of the screen, subsequent normal notifications will be suppressed and no sound will play. Only after the user swipes away the critical notification will the normal notification appear and play a sound. is this as expected? I could not find any document on such case from Apple. Thanks.

Hi everyone, We manage several macs through Microsoft Intune. We've deployed Platform SSO using the password based method (not the Secure Enclave) and have also enforced filevault encryption through policy. What we're trying to achieve is that multiple users can log into the same Mac. For example, I (the initial enrolling user) can log in without issues. However, we want a colleague to be able to log in as well if they're physically in front of the mac. The challenge we've run into is that once filevault is enabled (We're not sure about it but reading on forums it seems that the problem is filevault), it seems the network is not available at the login screen. This means that while the first user can create a mobile account and log in, a second user can't do the same. The moment we try to log in with another set of credentials, we get an immediate error and the password field shakes instantly, suggesting it's not even reaching out to the network or directory to validate the credentials. We'd like to confirm if this behavior is expected when FileVault is active and whether the only solution is to disable FileVault or if there are alternative solutions to allow network connectivity at the login screen. Essentially, we want to know if there's a way to let a second user log in without having to turn off disk encryption. Or if we can pre-authorize a set of users on the mac in order to create all the mobile account needed.. Thanks in advance! Thomas

This is in reference to the feedback ticket : https://feedbackassistant.apple.com/draft/57929340, we would like to know if there are any test enterprise websites that Apple can suggest to test passkeys declaration.

I'm using Apple's MDM protocol InstalledApplicationListCommand to get information about installed apps. From iOS/iPadOS 26, the app information obtained by InstalledApplicationListCommand includes information on all apps including system apps (apps that come standard with iOS/iPadOS). https://developer.apple.com/documentation/devicemanagement/installed-application-list-command I want iOS/iPadOS26 to get the same information as the app information I get from the previous iOS/iPadOS, and I want to exclude system apps from the app information I get with the InstalledApplicationListCommand. As a way to exclude system apps, you can use the app ID I'm thinking of a way to exclude anything that starts with "com.apple" (the Identifier key value of the InstalledApplicationListResponse.InstalledApplicationListItem object). As a way to exclude system apps, please tell us whether the above method is appropriate and whether there will be any problems in the future.

We have created provisioning profile from apple developer account for our iPadOS app, the expiry date shown in the profile is 20-Aug-2026. However, when when I build the app with this provisional profile the expiry date shown in the app is 6-May-2026. My Certification expires on 2027. I see a embeded.mobileprovision profile inside the app, and it has an expiry of 6-May-2026. I did a clean build, cleared unnecessary profiles from profile folder, created a new provisional profile and tried, but nothing seems help. We have a few apps, and no other app has this issue, only those two apps have this issue. As the expiry date the shorten, we also need to special handle these two apps, Will you please help me to resolve this issue? Thanks.

We have been trying to figure out how to block Apple Private Relay in our enterprise so we can monitor and filter our employees traffic. We are able to block the Private Relay via this process: We used this article from Fortinet to achieve this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-bypassing/ta-p/228629 This also appears to block the users ability to utilize Apple iCloud Drive Backups. They would like to allow that still. Is there a way to block iCloud Private Relay while still allowing iCloud Drive Backups to work? I am not finding a document listing the URL requirements for iCloud Drive Backups. We currently have this solution in place: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-allow-iCloud-private-relay/ta-p/383703 Basically this solution is allowing all Apple URL/IPs to go through the firewall and not be filtered. They would like to scan the traffic through. When scanning is enabled the firewall blocks the iCloud Private Relay traffic as it is blocked as being a proxy. Any guidance is greatly appreciated.

Hello all, I’m hoping someone here has gone through the process of integrating an ERP system with the Apple GSX API and can offer some guidance. We’re currently working with an AASP who asked us to integrate our ERP with the Apple GSX API. It’s the first time for both of us, and we’re a bit stuck on how to properly get started. The AASP contacted their regional manager, who confirmed that an NDA and an Apple Developer Account would be necessary. However, he hasn’t handled this type of integration before and is still seeking internal guidance. That was a few months ago, and due to his workload, the AASP hasn’t heard back from him yet. Meanwhile, we’ve already enrolled in the Apple Developer Program and opened a support case, but we’ve been redirected to the forums since our case goes beyond standard support. So now we’re trying to understand: What steps need to be completed by the AASP? What are the steps we, as the ERP provider, need to take in order to receive API access? Are there any specific documents, applications, or technical requirements we should prepare in advance? We’d really appreciate any guidance or insight from others who have gone through this process — or even partial answers to help us move forward. Thanks in advance for your time!

For additional security we would like to avoid keeping generated certificates (their private keys) on our server after installing them on a device, but still be able to reference them in later installed configuration profiles via MDM. However, it seems that for a configuration profile's payload to use a certificate (e.g. VPN payload), the certificate payload must be present in the same profile. Are we missing anything, perhaps it's already possible somehow? Ideal workflow for us would be: our MDM server generates a certificate (private+public keys) for a given device our MDM server sends this certificate to the device as configuration profile and saves PayloadUUID of the certificate's payload our MDM server deletes the generated private key from its storage. At this point the private key is present only on the device. at some point in the future our MDM server sends a configuration profile that references the certificate from step 2 via the saved PayloadUUID (e.g. using key PayloadCertificateUUID in a VPN payload) Current result: device responds to MDM server with error "The profile “VPN” could not be installed. Certificates needed for the VPN service “VPN” are invalid." Desired result: device is able to find the previously installed certificate via its PayloadUUID. Alternatively, it could be certificate fingerprint or something similar. One more alternative could be to replace steps 1-3 by an app on the device that obtains a certificate (in any way), installs it to device as a configuration profile, passes the certificate's PayloadUUID to our MDM server and then doing step 4.

We’ve run into what looks like a gap in how forceAirDropUnmanaged is enforced on iOS devices. Setup: Device: iOS 17.x (unsupervised, enrolled in MDM) MDM Restriction: forceAirDropUnmanaged = true Managed Open-In restriction also applied (block unmanaged destinations). Verified: from a managed app, the AirDrop icon is hidden in the share sheet. This part works as expected. Issue: When two iOS devices are brought close together, the proximity-initiated AirDrop / NameDrop flow still allows transfer of photos, videos, or files between devices. In this path, forceAirDropUnmanaged does not appear to apply, even though the same restriction works correctly in the standard sharing pane. What I’d expect: If forceAirDropUnmanaged is enabled, all AirDrop transfer paths (including proximity/NameDrop) should be treated as unmanaged, and thus blocked when “Managed Open-In to unmanaged destinations” is restricted. What I observe instead: Share sheet → AirDrop hidden ✅ Proximity/NameDrop → transfer still possible ❌ Questions for Apple / Community: Is this a known limitation or expected behavior? Is there a different restriction key (or combination) that also covers proximity-based AirDrop? If not currently supported, should this be filed as Feedback (FB) to request alignment between share sheet AirDrop and NameDrop enforcement? This behaviour introduces a compliance gap for organisations relying on MDM to control data exfiltration on unsupervised or user-enrolled devices. Any clarification or guidance would be greatly appreciated.

Steps to Reproduce Step 1: Fetch Initial Device List Called the device list endpoint to retrieve all devices and saved the cursor: GET https://mdmenrollment.apple.com/server/devices Step 2: Modify Devices Added and deleted several devices via https://business.apple.com/ Step 3: Sync Without Pagination Called the sync endpoint using the cursor from Step 1 (no limit): GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor} Result: Returned 3 device records as expected: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" }, { "serial_number": "F70JJ4C16L", "op_type": "deleted", "op_date": "2025-12-11T07:04:36Z" }, { "serial_number": "C8RWGXZXJWF5", "op_type": "deleted", "op_date": "2025-12-11T07:04:52Z" } ], "more_to_follow": false } Step 4: Sync With Pagination (First Page) Called the sync endpoint using the same cursor from Step 1 with limit=1: GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor}&limit=1 Result: Returned 1 record with more_to_follow: true — indicating more data exists: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" } ], "more_to_follow": true, "cursor": "MTowOjE3NjU0MzgyNDI5ODc6..." } Step 5: Sync With Pagination (Second Page) Called the sync endpoint using the cursor from Step 4 with limit=1: { "devices": [], "more_to_follow": false } Expected Behavior When paginating with limit=1, the API should return all 3 records across 3 sequential requests. Actual Behavior Without pagination: Returns 3 records ✓ With pagination (limit=1): Returns only 1 record, then empty array ✗ 2 records are missing when using pagination. Impact This inconsistency makes the sync API unreliable for incremental device synchronization workflows.

Hello folks, I stumbled upon a weird CNContact serialization problem. I use the Contacts framework to update the AIM field, which is one of the instantMessageAddresses within a single Contact. Here is the simplified code I used: func updateAIMFieldOn(contact: CNContact, aimValue: String) { do { guard let mutableContact = contact.mutableCopy() as? CNMutableContact else { logger.error("[CM] Couldn't update contact with aim \(aimValue)") return } var updatedAddresses = mutableContact.instantMessageAddresses updatedAddresses.append(CNLabeledValue(label: "", value: CNInstantMessageAddress(username: aimValue, service: CNInstantMessageServiceAIM))) mutableContact.instantMessageAddresses = updatedAddresses let saveRequest = CNSaveRequest() saveRequest.update(mutableContact) try CNContactStore().execute(saveRequest) logger.verbose("Contact's AIM updated successfully!") } catch { logger.error("Couldn't update contact") } } And after serializing the contact to data, and then deserializing, the contact got two AIM fields with the same value: X-AIM;type=pref:some:part:of_my_aim_value IMPP;X-SERVICE-TYPE=AIM;type=pref:some:part:of_my_aim_value Why does it work in this manner? Is it possible that ":" char causes that? Format of my aim username is {some:part:of_my_aim_value}. I didn't find any information in the docs. Thanks!

Hello, I’d like to clarify the technical limitations around app updates in an Apple School Manager (ASM) + MDM environment. Environment • iOS/iPadOS devices supervised and managed via Apple School Manager • Apps are distributed via ASM (VPP / Custom App) and managed by MDM • Apps are App Store–signed (not Enterprise/In-House) • Some apps include NetworkExtension (VPN) functionality • Automatic app updates are enabled in MDM Question From a technical and platform-design perspective, is it possible to: Deploy app updates for ASM/MDM-distributed App Store apps via a separate/custom update server, and trigger updates simultaneously across all managed devices, bypassing or supplementing the App Store update mechanism? In other words: • Can an organization operate its own update server to push a new app version to all devices at once? • Or is App Store + iOS always the sole execution path for installing updated app binaries? ⸻ My current understanding (please correct if wrong) Based on Apple documentation, it seems that: 1. App Store–distributed apps cannot self-update • Apps cannot download and install new binaries or replace themselves. • All executable code must be Apple-signed and installed by the system. 2. MDM can manage distribution and enable auto-update, but: • MDM cannot reliably trigger an immediate update for App Store apps. • Actual download/install timing is decided by iOS (device locked, charging, Wi-Fi, etc.). 3. Custom update servers • May be used for policy decisions (minimum allowed version, feature blocking), • But cannot be used to distribute or install updated app binaries on iOS. 4. For ASM-managed devices: • The only supported update execution path is: App Store → iOS → Managed App Update • Any “forced update” behavior must be implemented at the app logic level, not the installation level. ⸻ What I’m trying to confirm • Is there any supported MDM command, API, or mechanism that allows: • Centralized, immediate, one-shot updates of App Store apps across all ASM-managed devices? • Or is the above limitation fundamental by design, meaning: • Organizations must rely on iOS’s periodic auto-update behavior • And enforce version compliance only via app-side logic? ⸻ Why this matters In large school deployments, delayed updates (due to device conditions or OS scheduling) can cause: • Version fragmentation • Inconsistent behavior across classrooms • Operational issues for VPN / security-related apps Understanding whether this limitation is absolute or if there is a recommended Apple-supported workaround would be extremely helpful. Thanks in advance for any clarification

Hi Apple Development forums, I am having trouble getting a Wireguard VPN config setup to automatically disconnect on all domain requests other than one specific domain. I have my .mobileconfig designed as so: <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <array> <dict> <key>Domains</key> <array> <string>service.domainname.com</string> </array> <key>DomainAction</key> <string>ConnectIfNeeded</string> <key>ProbeURL</key> <string>https://service.domainname.com/</string> </dict> </array> </dict> <dict> <key>Action</key> <string>Disconnect</string> <key>DNSDomainMatch</key> <array> <string>*.com</string> <string>*.org</string> <string>*.net</string> </array> </dict> <dict> <key>Action</key> <string>Disconnect</string> </dict> </array> The issue I'm having is regardless of whether I note a *.com or simply have the action Disconnect noted - the VPN stays connected after navigating to https://service.domainname.com. would anyone have any thoughts on this? Or am I missing something here?

Hi Team, Could you please share how to change/extend the expiry date of the existing iOS Distribution (In-House) certificate? Since the membership renewal date is in March 2026 and the iOS distribution(In-House) certificate expiry date is in Feb 2026. We use to distribute the mobile apps using the product intunes (Company portal) and via direct download link. Please suggest since this certificate is used by multiple mobile apps by the users which can affect lot of iPhone users? Thank you in advance Deepak