Hello Apple Developer Community, I am implementing the "Return to Service" feature with app preservation in our MDM solution (iOS 26+). My goal is to use the EraseDeviceCommand to securely erase user data while preserving managed apps, and then have the device automatically re-enroll without user interaction. What I am doing: The device is supervised and successfully enrolled in Automated Device Enrollment (ADE). The device has generated and escrowed a bootstrap token to our MDM server (SetBootstrapToken received). I am sending the EraseDeviceCommand to the device via MDM with the necessary parameters for Return to Service with app preservation. The command payload includes: Enabled: true The previously escrowed BootstrapToken (as Base64 data). WiFiProfileData (as Base64 data) to ensure connectivity post-erase. Example Payload Structure (Simplified): <key>ReturnToService</key> <dict> <key>Enabled</key> <true/> <key>BootstrapToken</key> <data>YOUR_BASE64_TOKEN</data> <key>WiFiProfileData</key> <data>YOUR_BASE64_WIFI_PROFILE</data> </dict> The observed behavior: The erase command is successful. The device performs the secure user data erase. Crucially, the managed applications are preserved and automatically installed again after the reboot (confirming app preservation is working). The device connects to the Wi-Fi network successfully. The issue: I am not seeing the GetBootstrapToken request from the device hit our MDM server's check-in URL during the post-erase setup assistant phase. The re-enrollment seems to complete, but this specific request is missing from our server logs. My questions: Is the GetBootstrapToken request an explicit check-in message type, or is it an implicit part of the general CheckIn process during ADE re-enrollment when the token is used? If the device successfully re-enrolls and preserves apps, is the explicit GetBootstrapToken request still expected? Or does the token included in the EraseDeviceCommand payload satisfy all authentication needs for this workflow? What specific conditions or capabilities on the MDM server side might prevent the device from sending this specific request, even if the overall process succeeds? Any insights from Apple engineers or other developers who have successfully implemented this flow would be greatly appreciated. Thank you!

I recently reviewed the device management restrictions page of the developer docs (https://developer.apple.com/documentation/devicemanagement/restrictions) and noticed that several items are now marked "In a future release, this restriction will begin requiring supervision." Some of these changes are likely to have a dramatic impact on our app and business! So my question is threefold: a) where can I find out or request more information about the planned changes (e.g. timeline would be especially helpful)? b) why are these changes being implemented at all? c) to whom / where can I protest these changes (aside from this forum and feedback assistant)?

For additional security we would like to avoid keeping generated certificates (their private keys) on our server after installing them on a device, but still be able to reference them in later installed configuration profiles via MDM. However, it seems that for a configuration profile's payload to use a certificate (e.g. VPN payload), the certificate payload must be present in the same profile. Are we missing anything, perhaps it's already possible somehow? Ideal workflow for us would be: our MDM server generates a certificate (private+public keys) for a given device our MDM server sends this certificate to the device as configuration profile and saves PayloadUUID of the certificate's payload our MDM server deletes the generated private key from its storage. At this point the private key is present only on the device. at some point in the future our MDM server sends a configuration profile that references the certificate from step 2 via the saved PayloadUUID (e.g. using key PayloadCertificateUUID in a VPN payload) Current result: device responds to MDM server with error "The profile “VPN” could not be installed. Certificates needed for the VPN service “VPN” are invalid." Desired result: device is able to find the previously installed certificate via its PayloadUUID. Alternatively, it could be certificate fingerprint or something similar. One more alternative could be to replace steps 1-3 by an app on the device that obtains a certificate (in any way), installs it to device as a configuration profile, passes the certificate's PayloadUUID to our MDM server and then doing step 4.

Hi everyone, I submitted this feature request through Apple’s Feedback Assistant and wanted to share it here, because many families run into the same issue and Apple prioritizes features based on the number of reports they receive. Current limitation: Screen Time only allows one single Downtime period per day for child accounts. For families with separate school hours and bedtime, this is very impractical. My real-world use case: • Downtime 1: 08:00–13:00 (school) • Downtime 2: 20:00–06:00 (bedtime) Both serve completely different purposes, but are not possible to combine with the current system. My suggestions to Apple: Support multiple Downtime periods per day for child accounts. Allow custom exceptions per Downtime block (e.g., allow Phone app). Provide more flexibility overall for families using Screen Time. If you would benefit from this too, it would be great if you could submit the same request via the Feedback app – the more reports Apple receives, the higher the chance for implementation. My Feedback ID: FB21265678 Thank you! 🙏 Hallo zusammen, ich habe über die Feedback-App einen Vorschlag an Apple eingereicht und wollte ihn hier teilen, weil viele Familien dasselbe Problem haben und Apple mehr Rückmeldungen braucht, um das Thema zu priorisieren. Aktuelles Problem: In Bildschirmzeit kann für Kinder aktuell nur eine einzige Auszeit pro Tag eingerichtet werden. Für Familien mit getrennten Schul- und Schlafenszeiten ist das extrem unpraktisch. Mein Anwendungsfall: • Auszeit 1: 08:00–13:00 (Schule) • Auszeit 2: 20:00–06:00 (Schlafenszeit) Beides erfüllt unterschiedliche Zwecke, ist aber nicht kombinierbar. Mein Vorschlag an Apple: Mehrere Auszeiten pro Tag für Kinderaccounts. Pro Auszeit eigene Ausnahmen festlegen (z. B. Telefon erlauben). Allgemein mehr Flexibilität im Screen-Time-System für Familien. Wenn ihr das ebenfalls hilfreich findet, wäre es super, wenn ihr es auch über die Feedback-App meldet – je mehr, desto besser. Feedback-ID meines Vorschlags: FB21265678 Danke euch! 🙏

Hi, everyone! Is there any way to change ACL of existing Private key in system keychain using MDM? We would like to add the binary or .app to access list of the key. I tried to send script via MDM which imported/exported our certificate with private key with required ACL. But can we change it without import/export?

Issue Using the DeviceInformationCommand API, the following device information can no longer be retrieved on iOS/iPadOS 26 and later. IMEI ICCID PhoneNumber This issue does not occur on devices running iOS/iPadOS 18.x or earlier. We would appreciate it if you could advise us on a solution to enable the retrieval of this information. Request XML <?xml version=\"1.0\" encoding=\"UTF-8\"?> <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"> <plist version=\"1.0\"> <dict> <key>CommandUUID</key> <string><!-- Here is CommandUUID --></string> <key>Command</key> <dict> <key>RequestType</key> <string>DeviceInformation</string> <key>Queries</key> <array> <string>IMEI</string> <string>ICCID</string> <string>PhoneNumber</string> </array> </dict> </dict> </plist>

We are having issues working with bypass codes the server creates when initiating Activation Lock through MDM. We are able to use the device-generated bypass codes without issue. When using the end point to request activation lock as specified in https://developer.apple.com/documentation/devicemanagement/creating-and-using-bypass-codes/ we get a 200 response. But when using the endpoint to bypass the activation lock, we get a 404 response. If we try to manually input the activation lock bypass code, it also does not work. Both of these methods work with the device-generated bypass codes. Just to clarify when testing the server generated codes, we ensured that we did not test the device-generated codes. All of this was tested on iOS devices. Created feedback ticket FB21365819 with device specific details.

Hello All, I come to ask a question that I haven't been able to find the docs. I continue to work on implementing declarative management and while working there is a question/concern I have. I have noticed that during some destructive testing, if the device is attempting to fetch a configuration and the server responds with a 503 (or any server related error) then the device will wipe all configurations and attempt to reapply them. Is there any way to prevent this by intercepting status codes or would the only real solution be to force down a temp/test config if the real config can't be fetched from the server?

We are upgrading macOS (minor versions and potentially major versions) using a scripted approach: Install the InstallAssistant package via installer Trigger OS install via startosinstall On MDM-managed assets, OS update policies appear to prohibit or interfere with the update flow. The update often fails with startosinstall reporting “Helper tool crashed…” during the “Preparing” phase. Steps to Reproduce On an MDM-enrolled Mac with OS update restriction/deferral policies applied, run: sudo /usr/sbin/installer -pkg /Path/To/InstallAssistant.pkg -target / && echo 'MACOS_PASSWORD' | /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --stdinpass --user MACOS_USER Actual Result Package installation reports success, but startosinstall fails during preparation with: Standard Output installer: Package name is macOS15.7_SoftwareUpdate installer: Upgrading at base path / installer: The upgrade was successful. By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately. Preparing to run macOS Installer... Preparing: 0.0% Preparing: 0.1% ... Preparing: 24.9% Standard Error Helper tool crashed... notes.log Install.log is also attached. Questions for Apple / Ask: We suspect this crash is caused by MDM OS update restrictions/policies. We need Apple’s recommended method to perform macOS updates (minor + major) when MDM is present, especially in environments where update deferrals/restrictions may be configured.

Background / Objective We are currently developing a solution to centrally manage Apple OS updates (major and minor) across managed macOS devices. Before implementing at scale, we need Apple’s guidance on supported and future-proof update mechanisms under MDM. Questions / Ask (Apple Guidance Requested) Apple recommended method What is Apple’s recommended approach to perform: Minor updates (e.g., macOS X.Y → X.Z) Major upgrades (e.g., Ventura → Sonoma) in an enterprise fleet? Support boundary Is macOS update management only supported via MDM (including any newer declarative workflows), or are local mechanisms (installer + command-line tooling) also considered supported for enterprise automation? Use of startosinstall Can we leverage the existing utility: /Applications/Install macOS .app/Contents/Resources/startosinstall for automated upgrades in enterprise environments? If yes, are there recommended flags/workflows Apple endorses for unattended or minimally interactive upgrades? Long-term support / stability Does startosinstall have any form of long-term support / stability guarantees across future macOS releases? Are there any known deprecations planned (or guidance that customers should transition to MDM/DDM workflows)? MDM interaction / interference When using startosinstall, can MDM policies (software update deferrals/restrictions, update enforcement, etc.) interfere with or block the upgrade? If interference is expected, what is the correct supported way to coordinate: MDM software update settings local startosinstall execution to avoid failures and ensure compliance? What We Need From Apple (Desired Outcome) A clear statement of recommended and supported update workflow(s) for enterprise managed macOS: for minor updates for major upgrades Guidance on whether startosinstall is acceptable for long-term automation, or whether we should only use MDM/DDM-driven workflows. Any best practices or reference documentation Apple recommends for implementing this safely and reliably.

Hello, I’ve run into an issue with a configuration profile on my supervised iPhone. I’m wondering if anyone here might be able to help? The profile contains the allowListedAppBundleIDs key within the restrictions payload. My Apple Watch is paired with the iPhone. The iPhone was supervised manually with Apple Configurator, hence the Apple Watch has not been directly supervised itself. The profile works completely as expected when installed on the phone. As soon as the profile is installed on the iPhone, I can witness the apps on the Apple Watch rearrange themselves as some apps are hidden. So clearly the profile is applying its restrictions to the Apple Watch to some degree. My issue however is that apps listed in the whitelist are hidden from the Watch. The apps that are missing from my Watch are Walkie Talkie, Find My Items, Find My Friends, Messages, Alarm, Remote, Now Playing, Sleep, Meditation and Heart Rate. This is despite the following bundle IDs being listed in the whitelist array: com.apple.findmy.findpeople, com.apple.findmy.finddevices, com.apple.HeartRate, com.apple.SessionTrackerApp, com.apple.NanoWorldClock, com.apple.findmy.finditems, com.apple.Mind, com.apple.NanoOxygenSaturation, com.apple.watchmemojieditor com.apple.NanoSleep com.apple.NanoNowPlaying com.apple.noise com.apple.tincan com.apple.NanoRemote com.apple.NanoAlarm com.apple.private.NanoTimer com.apple.NanoStopwatch I’ve done some testing, but not sure what I’ve found really. I’ve so far identified 3 scenarios. Scenario 1: I have the whitelist profile installed on the iPhone. I download an app that appears in the whitelist from my watch (or at least its iPhone version does). The apps show up on the iPhone automatically and can be launched there. These apps cannot be launched on the watch. Scenario 2: I downloaded a few apps to my watch, that didn’t automatically install on my iPhone at the same time. They were on the whitelist. These ones couldn’t be launched from my Watch. I then downloaded them to the iPhone and they could be launched there (since they were on the whitelist). Scenario 3: A couple of 3rd party apps on the whitelist could be downloaded and launched from the watch with the whitelist installed. It seems as though there are different kinds of Apple Watch app and this is what I’ve read elsewhere. First of all there are Watch-only apps, which do not automatically install a companion iPhone app. Secondly there are companion apps, which when installed from the Watch App Store download their companion app to the iPhone in the background. Someone please correct me - I’m bound to be overlooking something here. So maybe the apps that when installed from Watch automatically install on iPhone and can only be launched from the iPhone have a separate bundle ID for their Watch app which I haven’t included? Apps that are on the whitelist AND do not automatically install an iPhone app AND can be launched from the Watch, include: solstice What3words So maybe these do not need a companion app, but have the same Bundle ID as their iPhone app? However, I’m still not sure why many stock Apple Watch apps are missing from the Watch…. The most obvious answer is that I’ve got their Bundle IDs wrong, but I don’t think I have given I extracted the bundle IDs from the App Store pages of the Apple WatchOS apps. I noticed at this Apple Support page (https://support.apple.com/en-gb/guide/deployment/dep34c5cd30f/1/web/1.0) that there is no mention of whitelisting or blacklisting apps on WatchOS using MDM, yet something definitely happens on the watch when the configuration profile is installed on the iPhone. Furthermore, if I tap on a configuration profile, which comprises a blacklist, on my iPhone it will ask me if I want to install it on the iPhone or Watch. The same pop-up question doesn’t happen when the profile contains a whitelist. All this to say, I’m massively confused as to why I can’t get this working. I’d really appreciate anyone’s advice which is bound to be expert. Thank you

Hi, Is there a method to hide individual items in System Settings that is not Deprecated? It needs some of the settings set and hidden for the end user. I found the DisabledSystemSettings key however it is marked as Deprecated and does not include all the new items, especially those related to Apple Intelligence. Is there any method other than “Restrictions” that does not hide and only set individual settings ? It needs to hide items in system settings :)

Hello, we use an MDM profile that enables FDA for our program. The Identifier is set to be the path to our program. We'd like to have a profile that allows multiple CodeSignatures. Our older programs are signed with a different certificate than the current ones. We tried deploying 2 profiles (one for the 'old certificate' signed binary and the other for the 'new certificate' signed binary). But it looks like that MacOS accepts only one. I have also tried to use ProfileCreator to generate a profile with 2 entries, but it fails to do it. Manually editing the XML file and adding new entries does not work either. I'd like to know if there's a workaround for this issue.

This test setup is Jamf Pro as the MDM with Entra as the IdP. PSSO is working on Sequoia devices. Prior to Tahoe, PSSO required the following three items: An existing local account, the delivery of Company Portal, and a profile containing PSSO payload. Based on the Tahoe announcement, it looks like PSSO is now available during Setup Assistant, removing the requirement of first creating a local account. I assume this means that the requirements now as easy as deploying Company Portal and the PSSO profile during the Pre-Stage policy. I attempted this on the macOS 26 beta 1 and during Setup Assistant, with the PSSO profile delivered, Setup Assistant prompts me to login to my IdP. However, pressing Continue will result in a failure, notifying me that the application required is not available. The continue button is now inactive but a "try again" button is available. This results in the loop of trying and then failing, stating that the required application is not available. I eventually must quit Setup Assistant which exits it and drops me at the login window. The only account that is visible is the management account. A trip into DFU and an IPSW restore then follows. Am I trying this too soon? Is PSSO at Setup Assistant not yet fully supported? Is there another requirement other than delivering Company App in the prestige alongside the profile? I've enabled the beta channel in MAU but there is no newer Company Portal being offered. Any guidance here would be appreciated as this is the PSSO announcement I've been waiting for since the deprecation of Apple Enterprise Connect.

Hello all, We have built our own MDM solution as we plan to support quite a few devices running iOS. Manual activation is running fine and devices are checking in. We have setup ABM with Device management service setup and linked to our MDM. We have added reseller via Apple customer number and purchased devices are showing in ABM. We have setup default management service assignment as well. When we are setting up a device it gives an error: Remote Management The configuration for your iPhone could not be downloaded from . cancelled Error in the device log is as follows: Jun 11 14:16:36 iPhone Setup(DMCUtilities)[626] : <DMCHTTPRequestor: 0x84cfd7d40> cannot accept the authentication method NSURLAuthenticationMethodClientCertificate Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Task <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1> auth completion disp=2 cred=0x0 Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Task <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1> summary for task failure {transaction_duration_ms=285, response_status=-1, connection=7, reused=1, reused_after_ms=0, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, request_throughput_kbps=0, response_bytes=0, response_throughput_kbps=0, cache_hit=false} Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: TLS Client Certificates encountered error 1:89 Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Task <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1> finished with error [-999] Error Domain=NSURLErrorDomain Code=-999 UserInfo={NSErrorFailingURLStringKey=, NSErrorFailingURLKey=, _NSURLErrorRelatedURLSessionTaskErrorKey=, _NSURLErrorFailingURLSessionTaskErrorKey=, NSLocalizedDescription=} Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: encountered error(1:89) Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: cleaning up Jun 11 14:16:36 iPhone Setup(CFNetwork)[626] : Connection 7: summary for unused connection {protocol="http/1.1", domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0, private_relay=false, idle_duration_ms=0} Jun 11 14:16:36 iPhone Setup(DMCUtilities)[626] : <DMCHTTPRequestor: 0x84cfd7d40> failed to communicate with the MDM server. Error: NSURLError:Desc : cancelled Domain : NSURLErrorDomain Code : -999 Extra info: { NSErrorFailingURLKey = "https://mdm.domainname/enroll"; NSErrorFailingURLStringKey = "https://mdm.domainname/enroll"; "_NSURLErrorFailingURLSessionTaskErrorKey" = "LocalDataTask <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1>"; "_NSURLErrorRelatedURLSessionTaskErrorKey" = ( "LocalDataTask <663D2346-4B73-4DB2-A134-B1A7DC58E70B>.<1>" ); }

On iOS 26, if in "Single App Mode", the device gets stuck on the lock screen. Devices are configured in SAM (kiosk mode), without a PIN requirement. Since updating to iPadOS 26, every single device that locks (goes to sleep) becomes completely unresponsive at the lock screen. Touch input does not work. The only way to regain access is to reboot the device, which will boot to the SAM app, but then lock again if it goes to sleep. Related discussion in the public forums.

After applying the MDM camera restriction on iOS 26.1 beta 2, the camera availability status is reported incorrectly. After applying the MDM camera restriction [UIImagePickerController isSourceTypeAvailable:UIImagePickerControllerSourceTypeCamera] return YES

Hello everyone, I am looking for technical clarification regarding potential rate limits when automating frequent iOS device resets. In my workflow, I need to reset test devices multiple times per day using the EraseDevice MDM command, often combined with the ReturnToService flag for automated setup. I understand that after a full reset, the device undertakes several critical steps to become operational again, including device activation, system app installation, MDM re-enrollment, and subsequent validation of developer certificates for internally distributed apps. Based on Apple’s documentation and my own observations, I am aware of the following domains being involved in these processes: Device Activation: albert.apple.com, gs.apple.com, captive.apple.com, humb.apple.com, static.ips.apple.com, sq-device.apple.com, tbsc.apple.com, time*.apple.com System App Installation: *.itunes.apple.com, *.apps.apple.com, *.mzstatic.com MDM Enrollment: Communication with Apple ADE servers followed by the MDM server. Developer Certificate Validation: ppq.apple.com, ocsp.apple.com, crl.apple.com My primary question is: Are there any rate limits imposed by Apple’s servers on these specific processes when performed frequently on the exact same device within a short timeframe (e.g., multiple times per day)? Specifically, could anyone provide information regarding potential limits for: Device activation requests? System app downloads post-activation? Automated Device Enrollment checks and subsequent MDM enrollments? Developer certificate validation requests? Additionally, is the list of domains above comprehensive for these processes, or are there other key endpoints involved that I should be aware of regarding potential rate limiting? Understanding these limitations is crucial for ensuring the reliability of automated device management workflows. Thank you for any insights!

ABM has introduced a target date for moving a device from one MDM server to a new one. However, there's nothing in the API for setting that when you use the API to move MDM server Am I missing something or does it just not exist? Thanks Caroline

We are implementing the Return to Service (RTS) with App Preservation flow. During testing, we were able to successfully fetch the Bootstrap Token as part of the ADE enrollment process. However, when attempting to initiate the Return to Service command with App Preservation enabled, the following error was returned: [ { "ErrorCode": 12089, "ErrorDomain": "MDMErrorDomain", "LocalizedDescription": "Could not erase device.", "USEnglishDescription": "Could not erase device." }, { "ErrorCode": 66002, "ErrorDomain": "MDMBootstrapTokenErrorDomain", "LocalizedDescription": "Failed to generate LAContext for bootstrap token", "USEnglishDescription": "Failed to generate LAContext for bootstrap token" } ] Below is the sample request (with dummy data). The actual request contained valid values in all fields: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>RequestType</key> <string>EraseDevice</string> <key>ReturnToService</key> <dict> <key>Enabled</key> <true /> <key>WiFiProfileData</key> <data>WiFiProfileData</data> <key>BootstrapToken</key> <data>BootstrapTokenValue</data> <key>MDMProfileData</key> <data>MDM Profile Data</data> </dict> </dict> <key>CommandUUID</key> <string>3670</string> </dict> </plist>