Hello Apple Developer Community, I am implementing the "Return to Service" feature with app preservation in our MDM solution (iOS 26+). My goal is to use the EraseDeviceCommand to securely erase user data while preserving managed apps, and then have the device automatically re-enroll without user interaction. What I am doing: The device is supervised and successfully enrolled in Automated Device Enrollment (ADE). The device has generated and escrowed a bootstrap token to our MDM server (SetBootstrapToken received). I am sending the EraseDeviceCommand to the device via MDM with the necessary parameters for Return to Service with app preservation. The command payload includes: Enabled: true The previously escrowed BootstrapToken (as Base64 data). WiFiProfileData (as Base64 data) to ensure connectivity post-erase. Example Payload Structure (Simplified): <key>ReturnToService</key> <dict> <key>Enabled</key> <true/> <key>BootstrapToken</key> <data>YOUR_BASE64_TOKEN</data> <key>WiFiProfileData</key> <data>YOUR_BASE64_WIFI_PROFILE</data> </dict> The observed behavior: The erase command is successful. The device performs the secure user data erase. Crucially, the managed applications are preserved and automatically installed again after the reboot (confirming app preservation is working). The device connects to the Wi-Fi network successfully. The issue: I am not seeing the GetBootstrapToken request from the device hit our MDM server's check-in URL during the post-erase setup assistant phase. The re-enrollment seems to complete, but this specific request is missing from our server logs. My questions: Is the GetBootstrapToken request an explicit check-in message type, or is it an implicit part of the general CheckIn process during ADE re-enrollment when the token is used? If the device successfully re-enrolls and preserves apps, is the explicit GetBootstrapToken request still expected? Or does the token included in the EraseDeviceCommand payload satisfy all authentication needs for this workflow? What specific conditions or capabilities on the MDM server side might prevent the device from sending this specific request, even if the overall process succeeds? Any insights from Apple engineers or other developers who have successfully implemented this flow would be greatly appreciated. Thank you!

Hello, I am building a Content Filter app for iOS and would like to get access to some information about network connections that are happening on the device. I managed to have the handle(_ report: NEFilterReport) method of my NEFilterControlProvider called, but the bytesOutboundCount and bytesInboundCount properties of the report are always 0. How can I have the real byte count of the connection ?

I recently reviewed the device management restrictions page of the developer docs (https://developer.apple.com/documentation/devicemanagement/restrictions) and noticed that several items are now marked "In a future release, this restriction will begin requiring supervision." Some of these changes are likely to have a dramatic impact on our app and business! So my question is threefold: a) where can I find out or request more information about the planned changes (e.g. timeline would be especially helpful)? b) why are these changes being implemented at all? c) to whom / where can I protest these changes (aside from this forum and feedback assistant)?

For additional security we would like to avoid keeping generated certificates (their private keys) on our server after installing them on a device, but still be able to reference them in later installed configuration profiles via MDM. However, it seems that for a configuration profile's payload to use a certificate (e.g. VPN payload), the certificate payload must be present in the same profile. Are we missing anything, perhaps it's already possible somehow? Ideal workflow for us would be: our MDM server generates a certificate (private+public keys) for a given device our MDM server sends this certificate to the device as configuration profile and saves PayloadUUID of the certificate's payload our MDM server deletes the generated private key from its storage. At this point the private key is present only on the device. at some point in the future our MDM server sends a configuration profile that references the certificate from step 2 via the saved PayloadUUID (e.g. using key PayloadCertificateUUID in a VPN payload) Current result: device responds to MDM server with error "The profile “VPN” could not be installed. Certificates needed for the VPN service “VPN” are invalid." Desired result: device is able to find the previously installed certificate via its PayloadUUID. Alternatively, it could be certificate fingerprint or something similar. One more alternative could be to replace steps 1-3 by an app on the device that obtains a certificate (in any way), installs it to device as a configuration profile, passes the certificate's PayloadUUID to our MDM server and then doing step 4.

Hi everyone, I submitted this feature request through Apple’s Feedback Assistant and wanted to share it here, because many families run into the same issue and Apple prioritizes features based on the number of reports they receive. Current limitation: Screen Time only allows one single Downtime period per day for child accounts. For families with separate school hours and bedtime, this is very impractical. My real-world use case: • Downtime 1: 08:00–13:00 (school) • Downtime 2: 20:00–06:00 (bedtime) Both serve completely different purposes, but are not possible to combine with the current system. My suggestions to Apple: Support multiple Downtime periods per day for child accounts. Allow custom exceptions per Downtime block (e.g., allow Phone app). Provide more flexibility overall for families using Screen Time. If you would benefit from this too, it would be great if you could submit the same request via the Feedback app – the more reports Apple receives, the higher the chance for implementation. My Feedback ID: FB21265678 Thank you! 🙏 Hallo zusammen, ich habe über die Feedback-App einen Vorschlag an Apple eingereicht und wollte ihn hier teilen, weil viele Familien dasselbe Problem haben und Apple mehr Rückmeldungen braucht, um das Thema zu priorisieren. Aktuelles Problem: In Bildschirmzeit kann für Kinder aktuell nur eine einzige Auszeit pro Tag eingerichtet werden. Für Familien mit getrennten Schul- und Schlafenszeiten ist das extrem unpraktisch. Mein Anwendungsfall: • Auszeit 1: 08:00–13:00 (Schule) • Auszeit 2: 20:00–06:00 (Schlafenszeit) Beides erfüllt unterschiedliche Zwecke, ist aber nicht kombinierbar. Mein Vorschlag an Apple: Mehrere Auszeiten pro Tag für Kinderaccounts. Pro Auszeit eigene Ausnahmen festlegen (z. B. Telefon erlauben). Allgemein mehr Flexibilität im Screen-Time-System für Familien. Wenn ihr das ebenfalls hilfreich findet, wäre es super, wenn ihr es auch über die Feedback-App meldet – je mehr, desto besser. Feedback-ID meines Vorschlags: FB21265678 Danke euch! 🙏

Hi, everyone! Is there any way to change ACL of existing Private key in system keychain using MDM? We would like to add the binary or .app to access list of the key. I tried to send script via MDM which imported/exported our certificate with private key with required ACL. But can we change it without import/export?

Issue Using the DeviceInformationCommand API, the following device information can no longer be retrieved on iOS/iPadOS 26 and later. IMEI ICCID PhoneNumber This issue does not occur on devices running iOS/iPadOS 18.x or earlier. We would appreciate it if you could advise us on a solution to enable the retrieval of this information. Request XML <?xml version=\"1.0\" encoding=\"UTF-8\"?> <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"> <plist version=\"1.0\"> <dict> <key>CommandUUID</key> <string><!-- Here is CommandUUID --></string> <key>Command</key> <dict> <key>RequestType</key> <string>DeviceInformation</string> <key>Queries</key> <array> <string>IMEI</string> <string>ICCID</string> <string>PhoneNumber</string> </array> </dict> </dict> </plist>

I've been running the betas fine for a while, now, where do you want to go??

Hi there, I am trying to create an IPsec policy for remote access for iOS devices. Is the full updated list with all the settings, which are supported? I could only find this article: https://support.apple.com/de-de/guide/deployment/depdf31db478/web But I am sure it's not updated: Authentication Algorithms: HMAC-MD5 or HMAC-SHA1. Same for DH Groups 2-5

We've been waiting almost 3 years for Business Essentials to be available in Canada. Does anyone know the timeline for releases outside of the US?

<!-- Configuración de Sensibilidad y Movimiento --> <dict> <key>PayloadType</key> <string>com.android.settings</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.ios.freefire.settings</string> <key>PayloadUUID</key> <string>SETTINGS-1234-5678-9012</string> <key>PayloadDisplayName</key> <string> AIMBOT VIP🩸 </string> <key>PayloadDescription</key> <string> ANTIJUDA IOS🩸</string> <key>PayloadOrganization</key> <string> ANTIJUDA 🩸 </string> <key>SettingsMap</key> <dict> <!-- Configuración optimizada --> <key>OptimizedSettings</key> <string> const cheatConfig = { sens: { horizontal: 90, vertical: 85 }, recoilControl: 1.3, aimAssist: { strength: 1.25, angle: 0.75, smoothing: 0.8 }, precisionBoost: true, targetLockSpeed: 2.0, bulletComp: true, fovRange: 30, weapon: { switchDelay: 0.15, swayReduction: true }, prediction: 1.1, headshot: { priority: true, angleLimit: 15, adjust: 1.05 }, reactionBoost: 0.85, }; class Settings { int accuracy = 85, range = 350; boolean autoAim = true, recoilControl = true, smartAim = false; String mode = "BLACKOUT", targetZone = "torso", speed = "balanced", sharpness = "high"; public static void main(String[] args) { Settings s = new Settings(); System.out.println("Mode: " + s.mode + ", Accuracy: " + s.accuracy + "%, Range: " + s.range + "m"); System.out.println("Auto Aim: " + s.autoAim + ", Target Zone: " + s.targetZone); System.out.println("Speed: " + s.speed + ", Sharpness: " + s.sharpness); System.out.println("Recoil Control: " + s.recoilControl + ", Smart Aim: " + s.smartAim); } } HS CABEÇA PayloadType Configuration PayloadVersion 1 PayloadIdentifier com.example.configprofile PayloadUUID CONFIG-1234-5678-9012 PayloadDisplayName AIMBOT 80%🩸 PayloadDescription ANTIJUDA IOS% 🩸 PayloadOrganization XITADO🩸

Hello We have devices setup with in ABM and managed with Intune. Having only ever setup shared iPad's, we have a new request with managing iPhone's. The customer wants the iPhone's managed, but users enabled to purchase apps for the app store using their own credit card (or Apple ID) These are not BYOD devices and federated sign is not an option at this time. Can this be done with example User affinity profiles? Many thanks

Hi, I have a couple of questions about how to proceed and prepare the implementation for the DeviceLock MDM command for macOS in a secure and proper manner. https://developer.apple.com/documentation/devicemanagement/device-lock-command In documentation "PIN" is "(string) The six-character PIN for Find My. This value is available in macOS 10.8 and later." - is this the PIN that is used to unlock the device? Is there any video online that I can see how the process would look like for the end user with locking and unlocking a device? What should be done before sending a DeviceLock command? What should be done to safely test the command without bricking a device. How to unlock a device that was locked with a DeviceLock command? Is there any Unlock command or can the user unlock device with the provided PIN earlier? Thank you for any help!

Hello, I have an issue with DurationUntilRemoval—it never deletes my profile. I installed it via my MDM server and also tried installing it using Apple Configurator 2. The device is in supervised mode. Here is my profile: ** DurationUntilRemoval** ** 3600** <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures restrictions</string> <key>PayloadDisplayName</key> <string>Restrictions</string> <key>PayloadIdentifier</key> <string>com.apple.applicationaccess.82B4587F-86F6-406B-9D27-03A799379EB5</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadUUID</key> <string>82B4587F-86F6-406B-9D27-03A799379EB5</string> <key>PayloadVersion</key> <integer>1</integer> <key>allowActivityContinuation</key> <true/> <key>allowAddingGameCenterFriends</key> <true/> <key>allowAirPlayIncomingRequests</key> <true/> <key>allowAirPrint</key> <true/> <key>allowAirPrintCredentialsStorage</key> <true/> <key>allowAirPrintiBeaconDiscovery</key> <true/> <key>allowAppCellularDataModification</key> <true/> <key>allowAppClips</key> <true/> <key>allowAppInstallation</key> <true/> <key>allowAppRemoval</key> <true/> <key>allowApplePersonalizedAdvertising</key> <true/> <key>allowAssistant</key> <true/> <key>allowAssistantWhileLocked</key> <true/> <key>allowAutoCorrection</key> <true/> <key>allowAutoUnlock</key> <true/> <key>allowAutomaticAppDownloads</key> <true/> <key>allowBluetoothModification</key> <true/> <key>allowBookstore</key> <true/> <key>allowBookstoreErotica</key> <true/> <key>allowCamera</key> <true/> <key>allowCellularPlanModification</key> <true/> <key>allowChat</key> <true/> <key>allowCloudBackup</key> <true/> <key>allowCloudDocumentSync</key> <true/> <key>allowCloudPhotoLibrary</key> <true/> <key>allowContinuousPathKeyboard</key> <true/> <key>allowDefinitionLookup</key> <true/> <key>allowDeviceNameModification</key> <true/> <key>allowDeviceSleep</key> <true/> <key>allowDictation</key> <true/> <key>allowESIMModification</key> <true/> <key>allowEnablingRestrictions</key> <true/> <key>allowEnterpriseAppTrust</key> <true/> <key>allowEnterpriseBookBackup</key> <true/> <key>allowEnterpriseBookMetadataSync</key> <true/> <key>allowEraseContentAndSettings</key> <true/> <key>allowExplicitContent</key> <true/> <key>allowFilesNetworkDriveAccess</key> <true/> <key>allowFilesUSBDriveAccess</key> <true/> <key>allowFindMyDevice</key> <true/> <key>allowFindMyFriends</key> <true/> <key>allowFingerprintForUnlock</key> <true/> <key>allowFingerprintModification</key> <true/> <key>allowGameCenter</key> <true/> <key>allowGlobalBackgroundFetchWhenRoaming</key> <true/> <key>allowInAppPurchases</key> <true/> <key>allowKeyboardShortcuts</key> <true/> <key>allowManagedAppsCloudSync</key> <true/> <key>allowMultiplayerGaming</key> <true/> <key>allowMusicService</key> <true/> <key>allowNews</key> <true/> <key>allowNotificationsModification</key> <true/> <key>allowOpenFromManagedToUnmanaged</key> <true/> <key>allowOpenFromUnmanagedToManaged</key> <true/> <key>allowPairedWatch</key> <true/> <key>allowPassbookWhileLocked</key> <true/> <key>allowPasscodeModification</key> <true/> <key>allowPasswordAutoFill</key> <true/> <key>allowPasswordProximityRequests</key> <true/> <key>allowPasswordSharing</key> <true/> <key>allowPersonalHotspotModification</key> <true/> <key>allowPhotoStream</key> <true/> <key>allowPredictiveKeyboard</key> <true/> <key>allowProximitySetupToNewDevice</key> <true/> <key>allowRadioService</key> <true/> <key>allowRemoteAppPairing</key> <true/> <key>allowRemoteScreenObservation</key> <true/> <key>allowSafari</key> <true/> <key>allowScreenShot</key> <true/> <key>allowSharedStream</key> <true/> <key>allowSpellCheck</key> <true/> <key>allowSpotlightInternetResults</key> <true/> <key>allowSystemAppRemoval</key> <true/> <key>allowUIAppInstallation</key> <true/> <key>allowUIConfigurationProfileInstallation</key> <true/> <key>allowUSBRestrictedMode</key> <true/> <key>allowUnpairedExternalBootToRecovery</key> <false/> <key>allowUntrustedTLSPrompt</key> <true/> <key>allowVPNCreation</key> <true/> <key>allowVideoConferencing</key> <true/> <key>allowVoiceDialing</key> <true/> <key>allowWallpaperModification</key> <true/> <key>allowiTunes</key> <true/> <key>forceAirDropUnmanaged</key> <false/> <key>forceAirPrintTrustedTLSRequirement</key> <false/> <key>forceAssistantProfanityFilter</key> <false/> <key>forceAuthenticationBeforeAutoFill</key> <false/> <key>forceAutomaticDateAndTime</key> <false/> <key>forceClassroomAutomaticallyJoinClasses</key> <false/> <key>forceClassroomRequestPermissionToLeaveClasses</key> <false/> <key>forceClassroomUnpromptedAppAndDeviceLock</key> <false/> <key>forceClassroomUnpromptedScreenObservation</key> <false/> <key>forceDelayedSoftwareUpdates</key> <false/> <key>forceEncryptedBackup</key> <false/> <key>forceITunesStorePasswordEntry</key> <false/> <key>forceLimitAdTracking</key> <false/> <key>forceWatchWristDetection</key> <false/> <key>forceWiFiPowerOn</key> <false/> <key>forceWiFiWhitelisting</key> <false/> <key>ratingApps</key> <integer>1000</integer> <key>ratingMovies</key> <integer>1000</integer> <key>ratingRegion</key> <string>us</string> <key>ratingTVShows</key> <integer>1000</integer> <key>safariAcceptCookies</key> <real>2</real> <key>safariAllowAutoFill</key> <true/> <key>safariAllowJavaScript</key> <true/> <key>safariAllowPopups</key> <true/> <key>safariForceFraudWarning</key> <false/> </dict> </array> <key>PayloadDisplayName</key> <string>papala</string> <key>PayloadIdentifier</key> <string>MacBook-Pro-Kyrylo-2.4A2954CA-57A5-44D9-8AD3-546407A0CAD4</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>BEED8448-8866-43EB-AC3C-1C3C652AADE4</string> <key>PayloadVersion</key> <integer>1</integer> it's just test profile, without difficult stuff, but it doesn't work too What is wrong?

Is the possibility of programmatically recovering the enrolled email address associated with an iPad. We are currently working on a project that requires us to retrieve this information for our enrolled devices. Could you please provide guidance or documentation on how we can achieve this programmatically? Specifically, we are interested in any APIs or frameworks that Apple provides for this purpose, as well as any necessary permissions or configurations that need to be in place.

We'd like to determine if there is a configuration declaration that is active on a device as part of a predicate. The current logic (based on the WWDC 22 session) is: SUBQUERY(@status(management.declarations.configurations), $declaration, ($declaration.@key(identifier) == "com.abc.declarationname" AND $declaration.@key(active) == true)).@count == 1 The goal is that if the declaration is active, then a predicate should evaluate to true. This query does not appear to be working. Should we be able to use @status(management.declarations.activations) in a predicate? If so, what are we missing to attempt to determine if the declaration is active? If I search the existing status objects that are sent from the device, it is showing as active in the status channel.

Issue - Safari application not fetched from system_profile command Use case - We are trying to get list of installed applications in the mac. For this we use System_profiler command to fetch the details list. It is working good, but the thing is , It doesnt fetch Safari app as an installed Application. Command used - **/usr/sbin/system_profiler SPApplicationsDataType** Can anyone suggest any other way to fetch the installed applications list from the mac , which includes all the apps (including safari app) and remains effective ?

Hello, I am an iOS developer managing an MDM app. In this app, we are only using the camera restriction feature. Can the MDM status (specifically, the camera state) be changed while the user's screen is locked? We want to communicate with our server in the background and apply changes, but there is no known information about this. I would appreciate your help!

Why is MDM camera restriction designed not to work on the lock screen?

In the RequestRequiresNetworkTether property, the definition of “network-tethered” is unclear, and there seems to be a discrepancy between the actual behavior and the description in the documentation. We would like to clarify the definition of the connection state that “network-tethered” means and the specific behavior requirements when the property is set to true. Explanation of the document The description “If true, the device must be network-tethered to run the command. I was not sure whether it refers to “network connection” or “tethered communication” as the Japanese translation. Actual operation verification results The error message was “The device is not tethered. (MDMErrorDomain:12081)”. Error occurs when only carrier communication is used The following connection conditions work normally (as in the case of false) Wifi communication Combination of carrier communication and Wifi communication Tethering communication Combination of carrier communication and tethering communication Tethering connection (both parent and child devices) Inconsistencies Although the document description could be interpreted as a simple network connection requirement, actual operation is limited only to carrier communications alone Error message uses language regarding tethering, but actual tethering connection works fine