Nuestra cuenta está aprobada como MDM Vendor y necesitamos emitir por primera vez el certificado APNs para MDM en el portal de Push Certificates. Procedimiento seguido Primero hemos descargado desde nuestra cuenta de Apple Developer el certificado de MDM Vendor y lo hemos instalado en el ordenador. Esto lo hemos hecho para que, al lanzar la instrucción de OpenSSL, se pueda utilizar el UUID gestionado por Apple y así generar el CSR de forma correcta. La instrucción que estamos ejecutando es la siguiente: openssl req -new -newkey rsa:2048 -nodes -keyout mdm_private.key -out mdm.csr -subj "/O=Numbux/OU=MDM/CN=com.apple.mgmt.External." El CSR resultante es puro (no está firmado ni empaquetado) y está generado con RSA 2048 y SHA256. Sin embargo, al subirlo al portal de Push Certificates, seguimos recibiendo el error “invalid signing request”. Solicitud Dado que es nuestra primera emisión, entendemos que necesitamos el External UUID asignado por Apple a nuestra organización, porque veo que el problema se deriva de una incorrecto UUID que se está generando en el comando OpenSSL. ¿Podríais confirmarnos cuál es ese valor para poder completar el CSR y así emitir correctamente el certificado APNs MDM? He llamado a los números 900 812 703 y al 900 812 468 y he escrito al soporte de developer. NADIE ES CAPAZ DE DARMELO. Sin el external UUID no puedo crear el APN para mi MDM. Alguien me puede ayudar? No me mandeis links ni posibles números que llamar porque ya lo he hecho.

Hello, I'm currently working on implementing app installation features, referencing the app.managed.yaml declaration on GitHub: https://github.com/apple/device-management/blob/0a4527c5ea21825fd23e08273ccdb9e2302458ce/declarative/declarations/configurations/app.managed.yaml My question pertains to the InstallBehavior.Version key. The current specification indicates its type as <integer>: key: Version title: Version supportedOS: iOS: introduced: '26.0' macOS: introduced: '26.0' visionOS: introduced: '26.0' type: <integer> Is there a way to specify the app version using a string format, such as x.y.z, instead of the integer (App Store External Version Identifier - EVID)? Allowing for a simpler version specification would make app version management through MDM more flexible and efficient. I believe this would significantly streamline the deployment and operation of Apple devices within organizations. Any guidance or consideration for this would be greatly appreciated. Thank you.

The Center for Innovation in Education created a reading program designed to teach every single child to read, regardless of any supposed difficulty in learning. The Center conducted a ten-year study of its Reading Program’s effectiveness. Over those ten years, the Center placed 2,048 Reading Program kits in classrooms across America. More than 300,000 children took part in the Center’s study. Results: The Reading Program taught every single child to read in every single classroom, every single year, regardless of any child’s supposed reading readiness - including dyslexic, autistic, and even Down syndrome children. No failures then or in any of the many years that have followed. Despite the Program’s success, educational publishers refused to publish it. Their refusals will be explained and hopefully counteracted in a book that is scheduled to be published in 2026. In response to publishers’ refusal to make the program available, the Center made it available as a free download from its website. The Center also made its program available as 14 free iPad apps. While the apps can be searched for individually by their unique names, since the apps are interrelated and meant to complement one another, the first keyword assigned to all 14 apps was the same. That same keyword is still in its first position for every app. The first keyword listed for each of the 14 apps is the word “Dekodiphukan”. That meant-to-be hard-to-read search word has worked well every year since the apps were introduced. However, in June of this year, that search term could find only 1 of the 14 apps. We reported this problem to Apple Support on June 26th. It is now November, and the problem remains unresolved. The only response we receive each time we ask for an update on the resolution of this problem the answer every time is: Reported search issues of this type require extensive review by Apple to determine whether it is valid and to confirm the appropriate action. There is no other response. No update has ever been sent to us. There is no phone number I can find to call. It was suggested to me by someone I spoke with in a different department at Apple Developers that I post my problem on the Developer Forum, in hopes that someone here can provide a suggestion for a way around this problem. Parents and teachers wishing to use our Reading Program with their children should not have to enter 14 different names to access our Reading Program.

Dear Apple Developer Team, Following the rollout of iOS 26.x and the introduction of the iPhone 17, we have identified a critical issue affecting Mobile Device Management (MDM) enrolment and restore operations. The issue appears to stem from the Device Management Profile configuration 'do_not_use_profile_from_backup' within Apple Business Manager (ABM), which currently defaults to False. This setting should be modified to True to ensure proper functionality. When the profile remains set to False, organisations leveraging MDM encounter repeated failures during device backup and restore operations. Specifically, restoring a supervised or managed device triggers a persistent MDM registration loop, effectively preventing deployment of iPhone 17 devices in managed environments. We recommend that Apple review and adjust the default Device Management Profile property within ABM to address this issue and restore full MDM compatibility for iOS 26.x and later.

how can i generate MDM Push Certificate for my own MDM server. Please guide me on that.

I applied over a month ago and haven't heard back to the Apple Small Business Program. What should I do to speed things up?

私は現在Intuneを使ったAppleIntelligenceの機能制限方法を調査しております。 AppleIntelligenceの機能のうち、以下5点を制御したく、その方法について教えてほしいです。 ・作文ツール ・Gen文字 ・写真(クリーンアップ機能等) ・さまたげ低減モード(通知の要約・優先順位機能含む) ・ChatGPTのサインイン(同期)・使用 今回ここに聞いた経緯としては、Microsoft社に本調査の確認をとったところ、 「制御後のデバイスの動作についてはAppleのペイロードを使用した制限のため、Appleに確認をとってほしい」 と伝えられたからです。 以下サイトではIntuneのAppleIntelligence機能の制御項目(MDM)が17項目ありますが、 ところどころ実動作について文章では理解ができない部分がありました。 ・https://techcommunity.microsoft.com/blog/intunecustomersuccess/microsoft-intune-support-for-apple-intelligence/4254037 AppleDeveloperサポートにも確認をとりましたが、以下サイトを紹介のみで、 特に追加の情報はありませんでした。 ・https://developer.apple.com/documentation/devicemanagement/restrictions 上記５機能を制限するためにはどの制限項目を使用すればよいでしょうか。

I want to install Chrome extension via configuration profile without user needing to go to System Settings and install profile manually. Can i install configuraation profile by making user only interact with my app?

Platform SSO not working on macos devices for zscaler application other app like safari / chrome working well. Need help from apple expert on the same. Environment : IDP : Entra ID MDM : Omnissa Workspace one UEM platform : macOS

How to test ManagedAppConfigurationProvider without MDM ? Task { /* Configuration provider task */ for await configuration in configurationProvider.configurations(MyAppConfiguration.self) { self.configuration = configuration ?? MyAppConfiguration.defaultConfiguration } } Can the existence of a configuration be simulated, e.g. by storing a mocked configuration in UserDefaults? The UserDefaults key "com.apple.configuration.managed" seems not relevant here.

I'm are attempting to use the device management migration feature in Apple Business Manager / Apple School Manager (for devices running iOS 26 / iPadOS 26) to re-assign managed devices from one MDM server to another. We followed the published procedure (select device(s) → Assign Device Management → Set deadline → Continue). However, we are observing that on the device side, no notification or prompt appears to the user (such as “Enrollment Required” or “Your organization requires this device to enroll in a different device management service”), even after the migration deadline has passed. Here are the environment details: Device OS version: (iOS 26.1) Device ownership: enrolled via Automated Device Enrollment MDM re-assignment in ABM: old MDM server（name: https://dev5.clomo.com/panel/mackey-dev/ ） → new MDM server (name: https://obliging-bunny-equally.ngrok-free.app/ ) Deadline set: (12/10/2025 12:00 AM) Network connectivity: confirmed online at deadline time We would like to know: Under what exact conditions will the device display the notification/prompt, and what common mis-configurations prevent it from appearing? Is there any device log or activity indicator in ABM/ASM to confirm that the migration instruction has been sent to the device? In cases where the prompt does not appear, what troubleshooting steps can we perform on the device (or in the MDM/ABM configuration) to correct it?

Finally got to the stage where the ACME certificate profile is successfully installed. However, the public key/certificate itself isn't appearing in the System Keychain. I'm not sure if this is normal or if it's an indication that something went wrong after the profile installation. Unfortunately, I didn't study the log detail at the time and I'm uncertain of how to retrieve those logs from two days ago for the ACME activities. Can anyone confirm that macOS 26 should be storing ACME-retrieved MDM profile-based certificates in the System Keychain? If they should be there, what can possibly go wrong? The most obvious issue I can see is that the ACME server has requested the certificate with two CN's, which comes from the MDM profile asking for the subject against CN and the OID (2.5.4.3). Both CN's are identical. I'm surprised the profile installed if something is wrong. At first, I assumed Apple had decided to stop installing the certificates into the System Keychain.

Hi everyone, We manage several macs through Microsoft Intune. We've deployed Platform SSO using the password based method (not the Secure Enclave) and have also enforced filevault encryption through policy. What we're trying to achieve is that multiple users can log into the same Mac. For example, I (the initial enrolling user) can log in without issues. However, we want a colleague to be able to log in as well if they're physically in front of the mac. The challenge we've run into is that once filevault is enabled (We're not sure about it but reading on forums it seems that the problem is filevault), it seems the network is not available at the login screen. This means that while the first user can create a mobile account and log in, a second user can't do the same. The moment we try to log in with another set of credentials, we get an immediate error and the password field shakes instantly, suggesting it's not even reaching out to the network or directory to validate the credentials. We'd like to confirm if this behavior is expected when FileVault is active and whether the only solution is to disable FileVault or if there are alternative solutions to allow network connectivity at the login screen. Essentially, we want to know if there's a way to let a second user log in without having to turn off disk encryption. Or if we can pre-authorize a set of users on the mac in order to create all the mobile account needed.. Thanks in advance! Thomas

We’re looking for best practices to remotely update iOS apps that are deployed in Single App Mode (SAM) or Autonomous Single App Mode (ASAM), managed through MDM. Imagine a typical use case: an iPad installed as a self-service kiosk at an airport restaurant. We need to update the app periodically without: Displaying any prompts to the user Relying on the user to approve or initiate the update (since the device is unattended) Sending technicians onsite, as many devices are in remote locations MDM providers have stated, “This is how Apple handles it,” without offering a workable solution. We’re hoping someone here has experience or suggestions for: Seamless or silent app updates in SAM/ASAM Update workflows that avoid interruptions or user interaction Any proven strategies or automation options under MDM supervision Any insight or documented approaches would be greatly appreciated. Thank you!

Im trying to make my own iOS MDM Server with SCEP. I cant send a response to the PKIOperation without the iPad rejecting it. Can someone post the PKIOperation response structure

I've account access level of developer. I want to create app specific password but go through the account but could not get any option to do so. Can somebody help me on this. Thanks in advance.

Hello, I am running into a bit of an issue with the Screen Timeout/Screen Lock setting and would like some clarification on. First for a bit of context, I am enrolling personal iOS devices 18.0+ into the company MDM (Intune) with Account Driven User Enrollment. We are trying to set a screen timeout of 5 minutes and immediately after it asks for the passcode on the device, though this setting is not being applied and the device timeout setting can be set as "Never" on the user's end. This is a big security risk for the company I work for and and the issue with being HIPAA compliant. According to the Microsoft Intune Support, "In iOS 18, when using Account-Driven User Enrollment for BYOD (Bring Your Own Device) scenarios, the screen lock timeout setting is indeed marked as “Not Applicable”. This is because Apple’s privacy-preserving model for personal devices restricts administrative control over system-level settings like screen lock or idle timeout." I am needing clarification on the item mentioned from Microsoft Intune Support and if this setting is no longer able to be applied from the MDM with devices enrolled with Account Driven User Enrollment?

I'm using Apple's MDM protocol InstalledApplicationListCommand to get information about installed apps. From iOS/iPadOS 26, the app information obtained by InstalledApplicationListCommand includes information on all apps including system apps (apps that come standard with iOS/iPadOS). https://developer.apple.com/documentation/devicemanagement/installed-application-list-command I want iOS/iPadOS26 to get the same information as the app information I get from the previous iOS/iPadOS, and I want to exclude system apps from the app information I get with the InstalledApplicationListCommand. As a way to exclude system apps, you can use the app ID I'm thinking of a way to exclude anything that starts with "com.apple" (the Identifier key value of the InstalledApplicationListResponse.InstalledApplicationListItem object). As a way to exclude system apps, please tell us whether the above method is appropriate and whether there will be any problems in the future.

I desperately need help with this issue. Are there any known issues regarding MDM profiles not installing on iPhone 17? Too many cases are being reported.

Hi, We developed a Platform SSO extension for our IdP, Keycloak. It would be great to get some feedback on it: https://francisaugusto.com/2025/Platform_single_sign_on_diy/