We are upgrading macOS (minor versions and potentially major versions) using a scripted approach: Install the InstallAssistant package via installer Trigger OS install via startosinstall On MDM-managed assets, OS update policies appear to prohibit or interfere with the update flow. The update often fails with startosinstall reporting “Helper tool crashed…” during the “Preparing” phase. Steps to Reproduce On an MDM-enrolled Mac with OS update restriction/deferral policies applied, run: sudo /usr/sbin/installer -pkg /Path/To/InstallAssistant.pkg -target / && echo 'MACOS_PASSWORD' | /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --stdinpass --user MACOS_USER Actual Result Package installation reports success, but startosinstall fails during preparation with: Standard Output installer: Package name is macOS15.7_SoftwareUpdate installer: Upgrading at base path / installer: The upgrade was successful. By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately. Preparing to run macOS Installer... Preparing: 0.0% Preparing: 0.1% ... Preparing: 24.9% Standard Error Helper tool crashed... notes.log Install.log is also attached. Questions for Apple / Ask: We suspect this crash is caused by MDM OS update restrictions/policies. We need Apple’s recommended method to perform macOS updates (minor + major) when MDM is present, especially in environments where update deferrals/restrictions may be configured.

Background / Objective We are currently developing a solution to centrally manage Apple OS updates (major and minor) across managed macOS devices. Before implementing at scale, we need Apple’s guidance on supported and future-proof update mechanisms under MDM. Questions / Ask (Apple Guidance Requested) Apple recommended method What is Apple’s recommended approach to perform: Minor updates (e.g., macOS X.Y → X.Z) Major upgrades (e.g., Ventura → Sonoma) in an enterprise fleet? Support boundary Is macOS update management only supported via MDM (including any newer declarative workflows), or are local mechanisms (installer + command-line tooling) also considered supported for enterprise automation? Use of startosinstall Can we leverage the existing utility: /Applications/Install macOS .app/Contents/Resources/startosinstall for automated upgrades in enterprise environments? If yes, are there recommended flags/workflows Apple endorses for unattended or minimally interactive upgrades? Long-term support / stability Does startosinstall have any form of long-term support / stability guarantees across future macOS releases? Are there any known deprecations planned (or guidance that customers should transition to MDM/DDM workflows)? MDM interaction / interference When using startosinstall, can MDM policies (software update deferrals/restrictions, update enforcement, etc.) interfere with or block the upgrade? If interference is expected, what is the correct supported way to coordinate: MDM software update settings local startosinstall execution to avoid failures and ensure compliance? What We Need From Apple (Desired Outcome) A clear statement of recommended and supported update workflow(s) for enterprise managed macOS: for minor updates for major upgrades Guidance on whether startosinstall is acceptable for long-term automation, or whether we should only use MDM/DDM-driven workflows. Any best practices or reference documentation Apple recommends for implementing this safely and reliably.

I want to side load a .ipa file from a Mac to iPhone connected to Mac via USB. I don't want to use ABM or enterprise account. Also these can be any number of unknown devices. Is there any way to set this up automatically?

Is there any mechanism to restrict camera usage on a user-owned device, once they have opted in, consented to the restriction, and installed a management profile? Documentation suggests it was possible with allowCamera, but has be deprecated on unsupervised devices. Am I understanding correctly that it's simply not possible anymore unless the device is supervised?

I'm working on the companion iOS app for my purpose-built MDM system. when I use the following in a .swift file: import DeviceManagement I get the build issue: No such module 'DeviceManagement' When I attempt to add the framework in the Frameworks, Libraries, and Embedded Content settings, DeviceManagement doesn't even show up in the available frameworks. Alll the documentation I can find suggests that is the correct framework to import, but I'm new to this and not sure if I'm just missing something. Some AI help is suggesting that the culprit might be v16.x of Xcode, but I don't know enough to prove that correct or not. Any ideas on why Xcode believes there is no such module? Is there documentation that might help me learn how to make that framework available for my project?

We are going to replace our iPhone SE to iPhone 16e. The issue is that we are unable to install an in-house app on the new iPhone 16e. The app works on the iPhone SE Both phones run on the same iOS version (18.5) Has anyone else experienced the same issue? I initially thought the iPhone 16e was the successor to the iPhone SE

Three months ago I molded a mold program. I believe could be tweaked and tried unlined zero code. swear. anyway I would like to scale with some people if I can go to commercial area code phoned series and calls.and if I have rights. but my next moves for them. on iOS I think they should have a seri settings. where they can call seri.on settings, and it jump many codes-and navigation is hard. plus I think seri can help in settings expecially since seri settings is verbal drop. if the words fit or are similar it cues goes to but you have to hard call the switch.so there’s no hey no Sami where you setting no Sammy right I think it could skip cauldron and everything verbally either. Seri settings I think iOS should try it.

Hi Apple Team & Community, The new Introduction of Platform SSO during ADE Enrollment is Great And we tried implementing this. As a Rule mentioned in the Documentation Initially MDM Server should send 403 response with Response Body adhering to ErrorCodePlatformSSORequired when HTTP Header for MachineInfo request contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true There are contradictory claims mentioned in Document, In Process Platform SSO Required Response it is mentioned that MDM Server should send body as JSON Object for ErrorCodePlatformSSORequired Example below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/json Content-Length: 558 { "code": "com.apple.psso.required", "description": "MDM Server requires the user to authenticate with Identity Provider - BY MEMDM", "message": "The MDM server requires you to authenticate with your Identity Provider. Please follow the instructions provided by your organization to complete the authentication process - BY MEMDM", "details": { "Package": { "ManifestURL": "https://platform-sso-node-server.vercel.app:443/manifest" }, "ProfileURL": "https://platform-sso-node-server.vercel.app:443/profile", "AuthURL": "https://platform-sso-node-server.vercel.app:443/auth" } } But in the same Document a Sample HTTP Response was Provided but seems to be XML format as below >>>>> Response HTTP/1.1 403 Forbidden Content-Type: application/xml Content-Length: 601 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Code</key> <string>com.apple.psso.required</string> <key>Details</key> <dict> <key>ProfileURL</key> <string>https://mdmserver.example.com/psso.mobileconfig</string> <key>Package</key> <dict> <key>ManifestURL</key> <string>https://mdmserver.example.com/psso-app.plist</string> </dict> <key>AuthURL</key> <string>https://idp.example.com/authenticate</string> </dict> </dict> </plist> From Github I assume that both Response Types are welcomed hence I tried with Both Followed in JSON Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPJSON Followed in XML Mode, I redirected the HTTP request if MachineInfo contains MDM_CAN_REQUEST_PSSO_CONFIG and set to true to https://platform-sso-node-server.vercel.app/redirectedDEPXML In both Response Modes OS is not proceeding after and a error Stating Enrollment with Management Server Failed , Forbidden request (403) appears Can someone kindly guide on where I missed, or is this any OS Bug in Tahoe 26?

I'm currently implementing a managed app using the new AppConfig specification. I referred to Apple's official documentation: Specifying and decoding a configuration. Based on the example provided in the "Publish your configuration specification" section, I structured my application configuration plist like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>configuration</key> <dict> <key>account</key> <dict> <key>username</key> <string>test user</string> <key>password</key> <string>test 123</string> </dict> <key>domain</key> <string>test example.com</string> </dict> </dict> </plist> When I deployed this configuration via my MDM server, the server reported valid for the activation, configuration and asset (which is the plist), but the configuration did not reflect or apply within my app. My app was unable to retrieve these settings. After some troubleshooting, I found that removing the top-level <key>configuration</key> wrapper resolved the issue. The following plist structure successfully pushed the configuration to my app: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>account</key> <dict> <key>username</key> <string>test user</string> <key>password</key> <string>test 123</string> </dict> <key>domain</key> <string>test example.com</string> </dict> </plist> My question is: Is the inclusion of the <key>configuration</key> wrapper (as shown in the Apple documentation example) incorrect for the current AppConfig implementation? Or is this structure intended for a future release (e.g., iOS 26 or beyond) and the documentation implicitly refers to it, causing confusion for current implementation? Any clarification would be greatly appreciated! Thank you!

Hi everyone, I’m working as an IT engineer in the cruise industry and need to troubleshoot passenger complaints about Apple’s new RCS messaging feature (introduced with iOS 18). Could someone help confirm which domains and ports iPhones use when they send RCS messages? For the fortigate and palo alto firewalls I need specifics: domains (or subdomains) that need whitelisting and the ports involved. Any official or community-sourced info would be super helpful—thanks in advance!

Hello All, I am currently developing a mobile management system using declarative management and for the most part it is pretty great. There is one consistent issue I have run into and it comes when testing VPP app installs with not enough licenses. When my server detects that it can't provide a license ID it will return a 404, which causes the rest of the DM syncing to stop, and the activation to throw an error. Per the documentation for using simple activation: An array of strings that specify the identifiers of configurations to install. A failure to install one of the configurations doesn’t prevent other configurations from installing The above would imply that if a config fails it should not affect anything else (aside from possibly reporting an error. Am I returning the wrong error code for it to continue or is the behavior correct and the documentation is wrong? Any additional info would be useful

Hi guys, I need to configure a VPN to work only for specific apps. I already have a supervised iPhone, and I’ve successfully configured the VPN, but right now it applies to the whole phone. I need it to work just for some apps. I tried using both Apple Configurator and iMazing, but I can’t find this option there.

I work at a school in NYC and have a software idea that could better support the new NYC phone ban law than current market options (i.e. Yondr pouches). Right now at my school, students and staff scan a QR code upon entering the building to indicate that they are in the building. They scan again on the way out to indicate they've left the building. This is super helpful for attendance, particularly in emergency situations (fire drills, etc). Imagine if when students scanned their QR code, it also activated an app similar to Opal or ScreenZen, but with an admin preset whitelisted apps. The idea is that this app would default deny access to all apps on students' phones except the admin preset whitelisted ones such as Phone, Calculator, etc. Depending on the age/needs of the student, other apps like Spotify, or medical apps could also be whitelisted. My question is -- is this idea possible to create? We would need admin preset controls to create the preset whitelist. We can't have students picking their own restrictions, as we know most would opt to not restrict at all. We would need an admin dashboard so teachers/admin can see which students have activated the app in the building, and which may be trying to sneakily avoid it. We would ideally need to be able to whitelist both system apps like Phone and Calculator, as well as non-system apps such as Spotify (and medical apps -- we have some students who manage/monitor their Diabetes with an app). I don't have a background in software. I'm a math and health teacher. I've experimented with trying to have friends who majored in CS to create this app for me, but they've all either struggled/lost interest. So I'm also looking for a business partner in this venture. If anyone has any guidance here, it would be so helpful! My boss (Head of School) is super interested in this idea and significantly prefers it to every other alternative that he has encountered. The problem is this idea does not exist yet! Note: I know this is a super similar idea to the app and product "Brick". Notably, though, Brick does not have the ability for admin preset controls, or the admin dashboard. We reached out to the company to see if they're create this for us and they said it's a back burner idea that they're aware of, but it's not a priority for them right now. Thank you for any guidance!

When using the SoftwareUpdateEnforcementSpecific to target an update to iPad OS 18.7.1, will the update be triggered to be downloaded immediately after the iPad has an active Internet connectivity? Or, if the SoftwareUpdateSettingsAutomaticActionsObject download string is set to AlwaysOff, will this mean that the update enforced will not start downloading automatically, but only when the user decides? I am trying to understand how these two can be combined together or if they work independently, as while trying to enforce a specific version, we need to eliminate the possibility to download an iPad OS version using cellular data, as our devices have an eSIM installed and the cost of using that for the iOS updates will be quite high. Maybe there is a setting to only allow the iOS updates to be downloaded via Wi-Fi. Thanks!

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

Hi all, I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information. Are any of you able to get that somehow? Thanks!

I have created a configuration profile which basically just turns off notifications for Shortcuts app but I am unable to install it on my iPhone as I am getting the following error “This profile can be installed on a supervised device only” can someone please help me with this? Would also appreciate if you have another way to turn off shortcuts notifications permanently since when I turn it off via screen time it keeps turning itself ON every couple of days.

Hello, I am currently attempting to use declarative management to install enterprise application, however I am running into errors. Initially the device was failing to unpac the initial manifest it downloaded. After pulling logs from the device it was revealed that the manifest must include the bundle-version for it to parse as valid. Adding this has allowed for the ipa to be fetched from the server however there is a secondary issue. The application is on the device but is unable to be opened due to the device being unable to validate its integreti. Any additional information would be useful. For completion the working manifest will be pasted below. It should be noted that the manifest below does work when requesting application installs through MDM commands. <***> <items type="array"> <dict> <assets type="array"> <dict> <kind type="string">software-package</kind> <url type="string">https://domain/web/mdm/ios/enterpriseipa/bundle.id</url> </dict> </assets> <key type="dict" name="metadata"> <bundle-identifier type="string">bundle.id</bundle-identifier> <kind type="string">software</kind> <subtitle type="string">app</subtitle> <title type="string">app</title> <bundle-version type="string">x.x.x</bundle-version> </key> </dict> </items> </***> </plist>

Hello Developers, We are encountering a consistent Kernel Panic issue on an iPhone device after sending a "Clear Passcode" command via our MDM solution. We're looking for insights or confirmation if others have experienced similar behavior. Device & Environment Details: Device: iPhone13,2 (iPhone 12 Pro) OS Version: iPhone OS 18.3.2 (Build 22D82) (Please note this appears to be a future/beta build identifier) Action Triggering Panic: Sending MDM ClearPasscode command. Roots Installed: 0 (Device is not jailbroken) Incident ID: 4B41C0AE-EE93-4051-BEE4-AB98438C10F0 Panic Log Summary: The kernel panic log clearly indicates the issue originates from the Secure Enclave Processor (SEP). The key panic string is: panic(cpu 3 caller 0xfffffff02357bc1c): SEP Panic: :sks /sks : 0x1000b15fc 0x0003ad60 0x0003ad44 0x100028698 0x10002cae4 0x10002a908 0x10002bc10 0x100045330 [hgggrhlvs] Panic app vers: 1827.80.10 Panic app UUID: 4C066E88-EB93-33C3-BCA7-C5F5474831CC ... Root task vers: AppleSEPOS-2772.80.2 Root task UUID: A39D6C5D-D07D-33EE-85A3-9105A8D93CE2 ... sks /sks 0x329cc/0x326e0/0x1314131413141314 ert/BOOT Use code with caution. The SEP Panic and reference to :sks /sks strongly suggest an issue within the Secure Key Store subsystem of the SEP. The panic occurred on CPU core 3. The kernel backtrace points to the com.apple.driver.AppleSEPManager kernel extension as the immediate caller in the main kernel that initiated the panic process after receiving the signal from the SEP. Analysis/Interpretation: Based on the log, it appears that the MDM ClearPasscode command, which necessarily interacts with the SEP's Secure Key Store via the AppleSEPManager driver, triggered an internal fault or bug within the SEP firmware (AppleSEPOS). This SEP-level panic subsequently caused the main iOS kernel to panic. Questions: Has anyone else encountered similar SEP panics, specifically involving the SKS subsystem, particularly after issuing MDM commands like ClearPasscode on iOS 18.x builds (especially 18.3.2 / 22D82)? Is this a known issue in this specific iOS/SEP firmware version? Are there any suggested workarounds for clearing passcodes via MDM on affected devices/OS versions, or any further diagnostic steps recommended? We appreciate any insights or shared experiences the community might have on this issue. Thank you.

Hello All, I am currently attempting to get application config working with enterprise apps but it seems as though the asset config is not applying at all. While the asset and application install correctly it does not seem that the config is read at all judging from the status message returned. "StatusItems" : { "app" : { "managed" : { "list" : [ { "name" : "apps", "config-state" : { "app-config-state" : { "state" : "unknown" } }, "identifier" : "app.identifier", "version" : "3.2", "short-version" : "3.2.0", "state" : "managed", "declaration-identifier" : "dec-identifier" } ] } } }, "Errors" : [ ] } The asset file being sent down is as follows: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Config 1</key> <string>Value 1</string> <key>Config 2</key> <string>Value 2</string> <key>Config 3</key> <string>Value 3</string> </dict> </plist> This is the config report being sent back by the device after everything has been fetched: "StatusItems" : { "management" : { "declarations" : { "activations" : [ { "active" : true, "identifier" : "group.activation.payload", "valid" : "valid", "server-token" : "56792E4AE25C3286640B45E6BD265AE97545B2B87F90A6355919FD8B2E3C3AB3" } ], "configurations" : [ { "active" : true, "identifier" : "app.install", "valid" : "valid", "server-token" : "34D7ACECAE16EE9EEAC0630FF2FF85524FFBB5BA3CB18CFB6296FBC860368C85" }, { "active" : true, "identifier" : "ios.policy.subscription.list", "valid" : "valid", "server-token" : "376913E11BE7D26EC745B3B68C6FA94C4FC061B1B736D143EBE0F12FF73ADFF8" } ], "assets" : [ { "active" : true, "identifier" : "app.config.reference", "valid" : "valid", "server-token" : "1CFBE30EB56309005F742D667B80242E6A3CDC08ED228D0BC5F87749C6BBAB77" } ], "management" : [ ] } }, "app" : { "managed" : { "list" : [ { "state" : "downloading", "declaration-identifier" : "app.install", "identifier" : "app.identifier", "name" : "apps", "config-state" : { "app-config-state" : { "state" : "unknown" } } } ] } } }, "Errors" : [ ] } Additional info would be useful, though a sysdiagnosis will be submitted to feedback as well. Config did apply correctly when sending down through Install application command