Hi, I am experiencing an issue with in-house apps on iOS 18. When the MDM profile is removed, newly installed in-house apps cannot be opened. However, previously installed in-house apps still work fine until the device is restarted. Context: Our in-house apps are not distributed via MDM but through an internal company app store. These apps are signed with an enterprise certificate and have been working fine on previous iOS versions. Steps to reproduce: Install an in-house app while the MDM profile is active -> The app works fine. Remove the MDM profile. Install a new in-house app (signed with the same enterprise certificate) The newly installed app does not open at all. The existing in-house apps installed before MDM removal continue to work normally. Restart the device. Now, even the previously installed in-house apps no longer open. Observed behavior: The newly installed in-house app does not open, and no trust prompt appears in Settings > General > VPN & Device Management. The previously installed in-house apps continue to function normally until the device is restarted. After restarting, none of the in-house apps open anymore. Is there a now restriction in iOS 18 regarding in-house app installation after MDM removal? Any insights or solutions would be greatly appreciated! Thank you.

We have couple of devices that are registered into Platform SSO, and we have been noticing an issue when the user tried to login. After the users enters the password and hit the return key nothing happens, they need to hit the return key probably 10-15 times in order for the login to happen, the password entered is the correct one and it's just that hitting the return key doesn't invoke the login. On checking the log of the device one unusual thing that we noticed as compared to a different device where the login is working in a single go is that the AppSSOAgent or AppSSODaemon process were not getting invoked

Is it mandatory to get explicit user consent in iOS apps to collect their product usage data anonymously with something like mixpanel. Note: this is not for advertising purposes, but only to make the product better based on usage patterns.

Hello We have devices setup with in ABM and managed with Intune. Having only ever setup shared iPad's, we have a new request with managing iPhone's. The customer wants the iPhone's managed, but users enabled to purchase apps for the app store using their own credit card (or Apple ID) These are not BYOD devices and federated sign is not an option at this time. Can this be done with example User affinity profiles? Many thanks

Hi there, We’re testing Declarative Device Management (DDM) for VPP app management and followed the latest declaration template here: https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/app.managed.yaml Our goal is to enable VPP auto-updates via the declaration. The payload we’re using looks like this: "AppStoreID": "1231325957", "InstallBehavior": "{\"Install\": \"Required\", \"License\": {\"Assignment\": \"Device\"}}", "UpdateBehavior": "{\"AutomaticAppUpdates\": \"AlwaysOn\"}" } What we’re seeing Device A (no Apple ID signed into App Store): User can manually update the VPP app with the above declaration in place. ( The same user cannot update the app if UpdateBehavior is not in the declaration payload. Device B (Apple ID signed into App Store, and the same Apple ID doesn't have the above app purchased): User cannot manually update the same VPP app. The App Store shows the error seen when UpdateBehavior is absent: “ cannot be updated because it was refunded or purchased with a different Apple Account.” Also, in this case, the user has no way to purchase the (free) app by their own as the app shows as owned/managed by MDM server. We have to remove the declaration, let the user purchase the same app, then re-deploy the declaration to allow the user to click that "Update" button when a new version for that app is available. Additionally, we’re unsure about the criteria/timing for automatic VPP app updates under DDM. After a new version became available, we waited several hours but the app did not auto-update. Repro summary App: VPP, device-assigned license Declaration: AutomaticAppUpdates = AlwaysOn, install required Device A: not signed into App Store → manual update allowed Device B: signed into App Store → manual update blocked with “refunded/different account” error Auto-update did not occur after waiting several hours post-release Any guidance, confirmation of expected behavior, or tips on additional logging we should collect (e.g., specific App Store / MDM / DDM logs and subsystems) would be greatly appreciated. If this is a known issue or requires a Feedback Assistant report, we’re happy to file one. Thanks,

I am having an issue with duplicated SCEP client certificates on an iOS device. We deployed an SCEP profile via MDM, then deleted and redeployed it via MDM. In Settings > General > VPN & Device Management, only one SCEP profile is visible. However, Safari shows duplicated certificates when a server requests a client certificate. We have tried removing the cert profile on MDM and unenrolling the device from MDM, but only the latest certificate got removed, leaving previous ones stuck on the device or in the Safari app. We have found no way to remove these duplicated certificates other than factory reset the devices. This appears to be a potential iOS bug affecting certificate cleanup. We need assistance to resolve this issue. Also, the issue is difficult to reproduce but has happened to a number of our managed devices.

Before iOS26.1, allowCamera set false, all app can't use camera. On iOS26.1, allowCamera set false, removes camera icon from the Home Screen, but third app can still use camera, such as Safari and other apps that can call camera. Is it a bug or a new features？

I desperately need help with this issue. Are there any known issues regarding MDM profiles not installing on iPhone 17? Too many cases are being reported.

We've disabled FUS through a config profile, but users can still access FUS by enabling the MenuBar/Control Center icons. My org would like to prevent access to FUS so I've created a config profile. But the profile doesn't seem to work. Anyone have any ideas what I'm missing, or is this an OS bug? <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadDisplayName</key> <string>macOS - Tahoe - Disable Fast User Switching Control Center</string> <key>PayloadIdentifier</key> <string>com.myorg.fast-user-switching</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadUUID</key> <string>f1a2b3c4-d5e6-7890-abcd-ef1234567890</string> <key>PayloadVersion</key> <integer>1</integer> <key>TargetDevmyorgType</key> <integer>5</integer> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.controlcenter</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.controlcenter.57EBEF9E-E568-411E-AE27-500AD98C94F4</string> <key>PayloadUUID</key> <string>f1a2b3c4-d5e6-7890-abcd-ef1234567890</string> <key>UserSwitcher</key> <integer>8</integer> </dict> <dict> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>.GlobalPreferences.71DE1486-60BC-4CB9-890D-AD50A772890D</string> <key>PayloadUUID</key> <string>c5234012-e0sw-2066-6fl8-3bd5p8125op7</string> <key>MultipleSessionEnabled</key> false/> </dict> </array> </dict> </plist>

During MDM Automated Device Enrollment of Apple TV, the web view defined by configuration_web_url is not working. We are using the web view to display the usage policy for all devices. While the web view functions correctly for other devices, it is resulting in an error specifically for Apple TV. Could you please clarify whether Apple plans to implement support for this feature on Apple TV in the future or if it will not be supported? Referring to configuration_web_url in: https://developer.apple.com/documentation/devicemanagement/profile

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

Issue - Safari application not fetched from system_profile command Use case - We are trying to get list of installed applications in the mac. For this we use System_profiler command to fetch the details list. It is working good, but the thing is , It doesnt fetch Safari app as an installed Application. Command used - **/usr/sbin/system_profiler SPApplicationsDataType** Can anyone suggest any other way to fetch the installed applications list from the mac , which includes all the apps (including safari app) and remains effective ?

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

We are facing an issue with Platform SSO registration on macOS devices for AD-bound user accounts with Microsoft EntraID configuration. We are using the Platform SSO payload on macOS devices integrated with Entra ID, and it works as expected — registration completes successfully, and the password syncs with the Entra ID password. However, when we try the same on macOS devices with AD-bound (mobile) user accounts, the registration does not complete. To elaborate, the process successfully completes the initial WebView authentication but fails at the stage where Apple prompts for the password to sync the local macOS user’s password with the Entra ID password. It does not display any error, and even after entering a valid password, the process does not proceed further. However, when we try the same on a non-AD user account, it works fine. We have checked with Microsoft, and they confirmed that there are no restrictions on their side for AD-bound accounts. Since the issue appears to occur at the Apple system level, they advised us to reach Apple teams on this. Could you please check and let us know how we can proceed with this? Payload used: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>ExtensionIdentifier</key> <string>com.microsoft.CompanyPortalMac.ssoextension</string> <key>PayloadDisplayName</key> <string>Extensible Single Sign-On Payload</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.B408A658-3DAF-41FF-8A5D-AE77B380CB7B</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>D506CAFD-C802-41F2-9C3E-DF5289C315FF</string> <key>PayloadVersion</key> <integer>1</integer> <key>PlatformSSO</key> <dict> <key>AccountDisplayName</key> <string>EntraID</string> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableCreateUserAtLogin</key> <true/> <key>LoginFrequency</key> <integer>3700</integer> <key>LoginPolicy</key> <array> <string>AttemptAuthentication</string> </array> <key>NewUserAuthorizationMode</key> <string>Admin</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Admin</string> </dict> <key>ScreenLockedBehavior</key> <string>DoNotHandle</string> <key>TeamIdentifier</key> <string>UBF8T346G9</string> <key>Type</key> <string>Redirect</string> <key>URLs</key> <array> <string>https://login.microsoftonline.com</string> <string>https://sts.windows.net</string> <string>https://login.partner.microsoftonline.cn</string> <string>https://login.chinacloudapi.cn</string> <string>https://login.microsoftonline.us</string> <string>https://login.microsoft.com</string> <string>https://login-us.microsoftonline.com</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Platform SSO</string> <key>PayloadIdentifier</key> <string>42GBHOLAP04621.1BD5B6D9-640B-4DC3-9275-56DDD191A5FB</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>58548FC6-38D9-4B28-9EDF-BEEAB03BAB23</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

Target Device: iPhone 13, iOS 18.5, enroll to MDM by enrollment profile Command: Response: Anyone could help?

In Device management profile, VPN.VPN.OnDemandRulesElement Action->Disconnect Example payload: OnDemandEnabled1OnDemandRules ActionDisconnectInterfaceMatchCellular When install my vpn payload with above configuration, I was unable to connect vpn manually when i try with wifi interface Based on the doc, VPN should tear down when i connect with specific type interface(here cellular) i was unable to connec the vpn when i'm in cellular network good but when i connect to wifi still the same is happening. Is this a bug? tried in ios 18

I am needing to access the ABM API via C#. Searching has directed me to use BouncyCastle. I have downloaded the PEM file. However, using the following: using (var reader = File.OpenText(pemFilePath)) { var pemReader = new PemReader(reader); var keyObject = pemReader.ReadObject(); I get the error "problem creating EC private key: System.NullReferenceException: Object reference not set to an instance of an object."

Issue Description: We are experiencing MDM profile installation failures specifically on iPhone 17 devices. After extensive testing and comparison between affected and working devices, we suspect this appears to be a parameter transmission error rather than device settings. Technical Analysis: Device Settings Comparison: No differences found between problematic and working devices in system settings, indicating this is not a configuration issue. Suspected Parameter Transmission Error: • Device model information appears to be restricted or blocked during profile download • User ID and phone number parameters are not being transmitted to the server • Installation logs show missing login ID and phone number entries Symptoms: • During MDM profile installation, the "Apps & Restrictions" section that should appear is missing • Profile download parameters are suspected to not be properly transmitted to the server • Installation process fails at the profile configuration stage Critical Finding: When we cloned a previously working device to create a problematic device configuration, the cloned device also began experiencing the same installation failures. This strongly suggests the issue is related to device-specific parameters or identifiers. Additional Information: We continue to receive reports of this issue from our iPhone 17 users, and these reports are occurring across various iOS versions. Request for Assistance: Has anyone encountered similar MDM profile installation issues on iPhone 17? Are there known limitations or changes in how device parameters are transmitted during MDM enrollment on this model? Any guidance on debugging parameter transmission or known workarounds would be greatly appreciated.

Hello, I am an iOS developer managing an MDM app. In this app, we are only using the camera restriction feature. Can the MDM status (specifically, the camera state) be changed while the user's screen is locked? We want to communicate with our server in the background and apply changes, but there is no known information about this. I would appreciate your help!

We are expering frequent delays recently when associating a device serial with the adamid of an app in our business manager account. I get an event id back when calling the /associate api but when i check the status of that event id is can be sat in a pending state for sometimes several hours. Need to understand why and if its a configuration issue