Hello ! Currently, we have customers who use about 5,000 devices. In the case of ios26, the phone number is not acquired overall, and 18.x, 17.x, and 16.x are all acquired in half and not acquired in half. https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command-data.dictionary/queries-data.dictionary It seems that it is the right behavior not to acquire it on the specification sheet. However, I wonder when it became impossible to acquire. (There are devices that can be acquired and devices that can't be acquired in the same os version.) Will the devices that are being acquired be blocked someday? When it was developed in 2019, it was in a state that could be acquired in full. I would also like to ask if there is an alternative way to get your phone number. Thank you.

Details: Device: iPhone 12 Pro Max System: iOS 26.1 beta 2 Issue Description: When testing MDM device restriction capabilities on iOS 26.1 beta 2, I found that the allowCamera restriction does not work as expected. Observed Behavior: • On a BYOD device: When allowCamera is set to false, the Camera and FaceTime apps disappear from the Home Screen, as expected. However, third-party apps (such as WeChat) can still access the camera and take photos. • On earlier versions (e.g. iOS 26.0.1): Setting allowCamera to false correctly blocks all apps, including third-party apps, from accessing the camera. Initially, I assumed Apple might have changed this restriction behavior so that allowCamera only applies to supervised devices. However, after testing on supervised devices, I found that even there, when allowCamera is set to false, the Camera and FaceTime apps are hidden, but third-party apps can still use the camera. This indicates that the restriction is not functioning correctly in iOS 26.1 beta 2. Expectation: When allowCamera is set to false, all camera access — including third-party apps — should be blocked. Request: Could someone from Apple’s development or MDM team confirm whether this is an expected behavior change or a potential bug in iOS 26.1 beta 2?

Hello, I've noticed some unexpected behavior when updating a user's FileVault password. The set up: All actions are performed in virtualized macOS 14 and 15.5 guests on a 15.5 Apple Silicon host. FileVault is enabled. sjsp is a standard user with a Secure Token. The Mac is bound to AD, and the domain is reachable. Reproduction: systemctl -secureTokenStatus sjsp shows it's ENABLED. fdesetup remove -user sjsp fdesetup add -usertoadd sjsp systemctl -secureTokenStatus sjsp shows it's DISABLED. Surprisingly, sjsp is still able to unlock FileVault. Looking at unified logs for opendirectoryd and fdesetup, I see that a password change is being attempted in response to fdesetup add, which is unexpected. default 13:34:41.320883+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) info 13:34:41.321317+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 info 13:34:41.321331+0100 opendirectoryd <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is not a SecureToken user: no unlock record default 13:34:41.321341+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): user <private> SecureToken, only new password provided, credential <private> default 13:34:41.321454+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) with no existing unlock record info 13:34:41.321857+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 default 13:34:41.321873+0100 opendirectoryd Record <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is eligible for SecureToken default 13:34:41.322637+0100 fdesetup DMAPFS cryptoUserForMacOSUserForVolume DMErr=-69594 retErr=-69594 outAPFSCryptoUser=(null) default 13:34:41.322699+0100 opendirectoryd While changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): Not adding SecureToken; other unlock records exist, but no existing unlock record provided If I disconnect the network and follow the reproduction steps then the Secure Token is retained. Reconnecting and waiting a while doesn't cause the Secure Token to be lost. There are no log entries about attempting to change the password. Any help or explanation would be appreciated, thanks in advance.

Hello All, I come to ask a question that I haven't been able to find the docs. I continue to work on implementing declarative management and while working there is a question/concern I have. I have noticed that during some destructive testing, if the device is attempting to fetch a configuration and the server responds with a 503 (or any server related error) then the device will wipe all configurations and attempt to reapply them. Is there any way to prevent this by intercepting status codes or would the only real solution be to force down a temp/test config if the real config can't be fetched from the server?

Hi, everyone! Is there any way to change ACL of existing Private key in system keychain using MDM? We would like to add the binary or .app to access list of the key. I tried to send script via MDM which imported/exported our certificate with private key with required ACL. But can we change it without import/export?

We are currently working on a SCEP server implementation that operates in FIPS-approved mode. In this mode, RSA PKCS#1 v1.5 encryption is disallowed due to compliance requirements, and only FIPS-approved padding schemes such as RSA-OAEP are permitted. However, we have observed that the SCEP client functionality on Apple devices currently does not support RSA-OAEP for CMS EnvelopedData decryption. This creates a challenge for us in ensuring FIPS compliance while maintaining compatibility with Apple devices during certificate enrollment through SCEP. We would appreciate your guidance on the following: Are there any alternative FIPS-approved encryption algorithms or configurations supported by Apple devices for SCEP CMS EnvelopedData decryption? Is there any plan or timeline for future support of RSA-OAEP on Apple platforms for this use case? Feedback raised along with sysdiagnose logs as well : FB17655410

"If your app includes any links outside the app, or offers any in-app or other purchasing opportunities, make sure these are behind a parental gate" Super Awesome and Kidoz are proving with a parental gate on ad click and they also claim that all ads are manually approved (another criteria for ads in Kids apps). So these two are the only ad networks we can use moving forward. Or we can use ad networks like Admob as well? I dont intend not to be in Kids category - so leaving Kids category is not a choice.

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. We are currently having some issues when attempting to restore device back ups via iCloud that where previously enrolled to our MDM solution, as upon the restore no app data seems to be persisted over (we have tested restoring the backup on the same device and we have been able to have data persist between wipes) On the initial device we have ensured that the restrictions allowCloudKeychainSync allowManagedAppsCloudSync are set to true, and can see that the initial devices back up has the app data backed up, yet despite this data is not persisted when restoring from back up on a new device. On the device where the back up was initially done when restoring the applications are applied but indicated that they must be re-installed via our management console, once the app has been uninstalled and reinstalled the old data does show up, when applied to the new device our mdm solution pushes down the app.managed config but the device treats it as a new install. Could this possibly be due to us using Device Licensing when assigning apps? Or is it due to the intial device only performing a token update request when restoring and the new device going through the entire checkin proccess? Both devices are provisioned via DEP, and applications where assigned initially via VPP Any insight on this would be useful (For reference this is an MDM solution of our own making so we are attempting to sus out if there is a configuration issue we could be overlooking).

Hello, We're testing the new allowedExternalIntelligenceWorkspaceIDs key in the MDM Restrictions payload on supervised iPads. According to Apple's documentation, this key expects an "external integration workspace ID", but it's not clear what this specifically refers to. We've tried the following IDs individually (one at a time, as documentation says only one is supported currently): OpenAI Organization ID ChatGPT user email Apple ID used in ChatGPT Google ID used in ChatGPT login The profile installs correctly via MDM and the key is set, but we want to confirm: What exactly is considered a valid "external integration workspace ID" for this key? Is there a way to verify that the restriction is working as intended on the device (e.g. does it limit specific integrations or apps)? Is there an official list of services that currently support this? Any clarification from Apple or other developers with experience on this would be very helpful. Thanks in advance.

Hey everyone, Is it possible and how to get Managed Apple ID (email) programmatically for user signed in to ipad through shared IPad feature ? It would be good to have MDM independent solution, I mean API call to MDM service is not acceptable for us. Maybe API call to ASM or ABM, or get that somehow on iOS device end... any advice ? Thanks in advance, Dima

Hello everyone, I’m looking for some clarity from the community regarding eligibility for the Swift Student Challenge 2026, particularly for students taking a gap year in India. I graduated from high school (Class XII, CBSE – India) in May 2025. After graduating, I chose to take a gap year to prepare for competitive entrance examinations in India, with the goal of pursuing Computer Science / Engineering. I’ll be applying to accredited universities for programs starting in mid-2026, and I’m not currently enrolled in a college. My question: The eligibility guidelines state that high school graduates must have graduated within the past 6 months and must be awaiting acceptance or have received acceptance to an accredited institution. Since the submission deadline is February 28, 2026, my graduation would be about 9 months prior, which puts me in a gray area. Has anyone here participated in, or seen others participate in, the Swift Student Challenge while taking a gap year and preparing for university entrance exams? Is there any known flexibility or precedent for students in this situation? I’ve been following the Swift Student Challenge since 2023 and would really love to participate if I’m eligible. Any insights or experiences would be greatly appreciated. Thanks!

Hi everyone, I submitted this feature request through Apple’s Feedback Assistant and wanted to share it here, because many families run into the same issue and Apple prioritizes features based on the number of reports they receive. Current limitation: Screen Time only allows one single Downtime period per day for child accounts. For families with separate school hours and bedtime, this is very impractical. My real-world use case: • Downtime 1: 08:00–13:00 (school) • Downtime 2: 20:00–06:00 (bedtime) Both serve completely different purposes, but are not possible to combine with the current system. My suggestions to Apple: Support multiple Downtime periods per day for child accounts. Allow custom exceptions per Downtime block (e.g., allow Phone app). Provide more flexibility overall for families using Screen Time. If you would benefit from this too, it would be great if you could submit the same request via the Feedback app – the more reports Apple receives, the higher the chance for implementation. My Feedback ID: FB21265678 Thank you! 🙏 Hallo zusammen, ich habe über die Feedback-App einen Vorschlag an Apple eingereicht und wollte ihn hier teilen, weil viele Familien dasselbe Problem haben und Apple mehr Rückmeldungen braucht, um das Thema zu priorisieren. Aktuelles Problem: In Bildschirmzeit kann für Kinder aktuell nur eine einzige Auszeit pro Tag eingerichtet werden. Für Familien mit getrennten Schul- und Schlafenszeiten ist das extrem unpraktisch. Mein Anwendungsfall: • Auszeit 1: 08:00–13:00 (Schule) • Auszeit 2: 20:00–06:00 (Schlafenszeit) Beides erfüllt unterschiedliche Zwecke, ist aber nicht kombinierbar. Mein Vorschlag an Apple: Mehrere Auszeiten pro Tag für Kinderaccounts. Pro Auszeit eigene Ausnahmen festlegen (z. B. Telefon erlauben). Allgemein mehr Flexibilität im Screen-Time-System für Familien. Wenn ihr das ebenfalls hilfreich findet, wäre es super, wenn ihr es auch über die Feedback-App meldet – je mehr, desto besser. Feedback-ID meines Vorschlags: FB21265678 Danke euch! 🙏

Summary: When applying a configuration profile that uses allowListedAppBundleIDs to permit a defined set of apps, essential Apple Watch apps are unexpectedly removed from the paired Watch — even though their associated iPhone bundle IDs are explicitly included. This issue occurs with a minimal profile, and has been consistently reproducible on the latest versions of iOS and watchOS. Impact: This behavior severely limits the use of Apple Watch in managed environments (e.g., education, family management, accessibility contexts), where allowlisting is a key control mechanism. It also suggests either: Undocumented internal dependencies between iOS and watchOS apps, or A possible regression in how allowlists interact with Watch integration. Steps to Reproduce: Create a configuration profile with a Restrictions payload containing only the allowListedAppBundleIDs key. Allow a broad list of essential system apps, including all known Apple Watch-related bundle IDs: com.apple.NanoAlarm com.apple.NanoNowPlaying com.apple.NanoOxygenSaturation com.apple.NanoRegistry com.apple.NanoRemote com.apple.NanoSleep com.apple.NanoStopwatch com.apple.NanoWorldClock (All the bundles can be seen in the Attached profile) Install the profile on a supervised or non-supervised iPhone paired with an Apple Watch. Restart both devices. Observe that several core Watch apps (e.g. Heart Rate, Activity, Workout) are missing from the Watch. Expected Behavior: All apps explicitly included in the allowlist should function normally. System apps — especially those tied to hardware like Apple Watch — should remain accessible unless explicitly excluded. Actual Behavior: Multiple Apple Watch system apps are removed or hidden, despite their iPhone bundle IDs being listed in the allowlist. Test Environment: iPhone running iOS 18 Apple Watch running watchOS 11 Profile includes only the allowListedAppBundleIDs key Issue confirmed on fresh devices with no third-party apps Request for Apple Engineering: Please confirm whether additional internal or undocumented bundle IDs are required to preserve Apple Watch functionality when allowlisting apps. If this behavior is unintended, please treat this as a regression or bug affecting key system components. If intentional, please provide formal documentation listing all required bundle IDs for preserving Watch support with allowlisting enabled. Attachment: .mobileconfig profile demonstrating the issue (clean, minimal, reproducible) Attached test profile = https://drive.google.com/file/d/12YknGWuo1bDG-bmzPi0T41H6uHrhDmdR/view?usp=sharing

We have Apple MDM running for more than 250 schools. We are looking to upgrade our MDM solution and looking as much help as we can get to boost it up. Anyone with experience can help?

For additional security we would like to avoid keeping generated certificates (their private keys) on our server after installing them on a device, but still be able to reference them in later installed configuration profiles via MDM. However, it seems that for a configuration profile's payload to use a certificate (e.g. VPN payload), the certificate payload must be present in the same profile. Are we missing anything, perhaps it's already possible somehow? Ideal workflow for us would be: our MDM server generates a certificate (private+public keys) for a given device our MDM server sends this certificate to the device as configuration profile and saves PayloadUUID of the certificate's payload our MDM server deletes the generated private key from its storage. At this point the private key is present only on the device. at some point in the future our MDM server sends a configuration profile that references the certificate from step 2 via the saved PayloadUUID (e.g. using key PayloadCertificateUUID in a VPN payload) Current result: device responds to MDM server with error "The profile “VPN” could not be installed. Certificates needed for the VPN service “VPN” are invalid." Desired result: device is able to find the previously installed certificate via its PayloadUUID. Alternatively, it could be certificate fingerprint or something similar. One more alternative could be to replace steps 1-3 by an app on the device that obtains a certificate (in any way), installs it to device as a configuration profile, passes the certificate's PayloadUUID to our MDM server and then doing step 4.

I am a developer working on iOS apps. I would like to report an issue occurring in iOS 26 beta 2. Our company has Enterprise account, and we are developing apps. When we distribute these apps, and install them on a device running iOS 26 beta2, apps install successfully, but apps crashed immediately after being launched. MDM Install Application When I install the app via Xcode and trust it, apps will run. Launchd job spawn failed This issue does not occur on versions prior to iOS 26. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

We have applications RME and RMEUI, which are added under FileProviders section. Looking for MDM profile that can lock these entries so that users cannot disable them. Currently we are using JAMF Pro MDM to control our applications. In Sequoia OS -> Open System Preferences -> General -> Login Items & Extensions -> Under Extensions section -> File Providers In Tahoe OS -> Open System Preferences -> General -> Login Items & Extensions -> Under By Category/App section -> File Providers (In the screen shot you can find RME entry)

Microsoft are retiring the “Azure AD Graph API”. We allow the use of Apple email apps in our M365 tenant via the “Apple Internet Accounts” Entra ID Enterprise Application, however this is using the “User.Read” permission from this retiring “Azure AD Graph API”. My concern is that Apple email app’s will stop working in our tenant when Microsoft retire the “Azure AD Graph API” and this permission is removed, as this is an Apple managed Enterprise Application, we have no method of changing the permissions ourselves. I have not been able to find any information on how the “Apple Internet Accounts” Entra ID Enterprise Application can be updated to use the required, newer “Microsoft Graph API” “User.Read” permission. It is not possible for us to change the permissions on the “Apple Internet Accounts” Entra ID Enterprise Application in our tenant, my assumption is that Apple would need to deploy a newer version of Email app that uses the newer “Microsoft Graph API” “User.Read” permission, and we would then need to consent the use of this new permission in our tenant. I would have thought Apple would have deploy this by now, but we have not seen any consent requests. Does anyone have any information about how Apple are handling this Microsoft change and how we can pre-emptively update the “Apple Internet Accounts” Entra ID Enterprise Application to ensure that Apple email client continue to work in our tenant? Many thanks.

Hello, I have an issue with DurationUntilRemoval—it never deletes my profile. I installed it via my MDM server and also tried installing it using Apple Configurator 2. The device is in supervised mode. Here is my profile: ** DurationUntilRemoval** ** 3600** <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures restrictions</string> <key>PayloadDisplayName</key> <string>Restrictions</string> <key>PayloadIdentifier</key> <string>com.apple.applicationaccess.82B4587F-86F6-406B-9D27-03A799379EB5</string> <key>PayloadType</key> <string>com.apple.applicationaccess</string> <key>PayloadUUID</key> <string>82B4587F-86F6-406B-9D27-03A799379EB5</string> <key>PayloadVersion</key> <integer>1</integer> <key>allowActivityContinuation</key> <true/> <key>allowAddingGameCenterFriends</key> <true/> <key>allowAirPlayIncomingRequests</key> <true/> <key>allowAirPrint</key> <true/> <key>allowAirPrintCredentialsStorage</key> <true/> <key>allowAirPrintiBeaconDiscovery</key> <true/> <key>allowAppCellularDataModification</key> <true/> <key>allowAppClips</key> <true/> <key>allowAppInstallation</key> <true/> <key>allowAppRemoval</key> <true/> <key>allowApplePersonalizedAdvertising</key> <true/> <key>allowAssistant</key> <true/> <key>allowAssistantWhileLocked</key> <true/> <key>allowAutoCorrection</key> <true/> <key>allowAutoUnlock</key> <true/> <key>allowAutomaticAppDownloads</key> <true/> <key>allowBluetoothModification</key> <true/> <key>allowBookstore</key> <true/> <key>allowBookstoreErotica</key> <true/> <key>allowCamera</key> <true/> <key>allowCellularPlanModification</key> <true/> <key>allowChat</key> <true/> <key>allowCloudBackup</key> <true/> <key>allowCloudDocumentSync</key> <true/> <key>allowCloudPhotoLibrary</key> <true/> <key>allowContinuousPathKeyboard</key> <true/> <key>allowDefinitionLookup</key> <true/> <key>allowDeviceNameModification</key> <true/> <key>allowDeviceSleep</key> <true/> <key>allowDictation</key> <true/> <key>allowESIMModification</key> <true/> <key>allowEnablingRestrictions</key> <true/> <key>allowEnterpriseAppTrust</key> <true/> <key>allowEnterpriseBookBackup</key> <true/> <key>allowEnterpriseBookMetadataSync</key> <true/> <key>allowEraseContentAndSettings</key> <true/> <key>allowExplicitContent</key> <true/> <key>allowFilesNetworkDriveAccess</key> <true/> <key>allowFilesUSBDriveAccess</key> <true/> <key>allowFindMyDevice</key> <true/> <key>allowFindMyFriends</key> <true/> <key>allowFingerprintForUnlock</key> <true/> <key>allowFingerprintModification</key> <true/> <key>allowGameCenter</key> <true/> <key>allowGlobalBackgroundFetchWhenRoaming</key> <true/> <key>allowInAppPurchases</key> <true/> <key>allowKeyboardShortcuts</key> <true/> <key>allowManagedAppsCloudSync</key> <true/> <key>allowMultiplayerGaming</key> <true/> <key>allowMusicService</key> <true/> <key>allowNews</key> <true/> <key>allowNotificationsModification</key> <true/> <key>allowOpenFromManagedToUnmanaged</key> <true/> <key>allowOpenFromUnmanagedToManaged</key> <true/> <key>allowPairedWatch</key> <true/> <key>allowPassbookWhileLocked</key> <true/> <key>allowPasscodeModification</key> <true/> <key>allowPasswordAutoFill</key> <true/> <key>allowPasswordProximityRequests</key> <true/> <key>allowPasswordSharing</key> <true/> <key>allowPersonalHotspotModification</key> <true/> <key>allowPhotoStream</key> <true/> <key>allowPredictiveKeyboard</key> <true/> <key>allowProximitySetupToNewDevice</key> <true/> <key>allowRadioService</key> <true/> <key>allowRemoteAppPairing</key> <true/> <key>allowRemoteScreenObservation</key> <true/> <key>allowSafari</key> <true/> <key>allowScreenShot</key> <true/> <key>allowSharedStream</key> <true/> <key>allowSpellCheck</key> <true/> <key>allowSpotlightInternetResults</key> <true/> <key>allowSystemAppRemoval</key> <true/> <key>allowUIAppInstallation</key> <true/> <key>allowUIConfigurationProfileInstallation</key> <true/> <key>allowUSBRestrictedMode</key> <true/> <key>allowUnpairedExternalBootToRecovery</key> <false/> <key>allowUntrustedTLSPrompt</key> <true/> <key>allowVPNCreation</key> <true/> <key>allowVideoConferencing</key> <true/> <key>allowVoiceDialing</key> <true/> <key>allowWallpaperModification</key> <true/> <key>allowiTunes</key> <true/> <key>forceAirDropUnmanaged</key> <false/> <key>forceAirPrintTrustedTLSRequirement</key> <false/> <key>forceAssistantProfanityFilter</key> <false/> <key>forceAuthenticationBeforeAutoFill</key> <false/> <key>forceAutomaticDateAndTime</key> <false/> <key>forceClassroomAutomaticallyJoinClasses</key> <false/> <key>forceClassroomRequestPermissionToLeaveClasses</key> <false/> <key>forceClassroomUnpromptedAppAndDeviceLock</key> <false/> <key>forceClassroomUnpromptedScreenObservation</key> <false/> <key>forceDelayedSoftwareUpdates</key> <false/> <key>forceEncryptedBackup</key> <false/> <key>forceITunesStorePasswordEntry</key> <false/> <key>forceLimitAdTracking</key> <false/> <key>forceWatchWristDetection</key> <false/> <key>forceWiFiPowerOn</key> <false/> <key>forceWiFiWhitelisting</key> <false/> <key>ratingApps</key> <integer>1000</integer> <key>ratingMovies</key> <integer>1000</integer> <key>ratingRegion</key> <string>us</string> <key>ratingTVShows</key> <integer>1000</integer> <key>safariAcceptCookies</key> <real>2</real> <key>safariAllowAutoFill</key> <true/> <key>safariAllowJavaScript</key> <true/> <key>safariAllowPopups</key> <true/> <key>safariForceFraudWarning</key> <false/> </dict> </array> <key>PayloadDisplayName</key> <string>papala</string> <key>PayloadIdentifier</key> <string>MacBook-Pro-Kyrylo-2.4A2954CA-57A5-44D9-8AD3-546407A0CAD4</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>BEED8448-8866-43EB-AC3C-1C3C652AADE4</string> <key>PayloadVersion</key> <integer>1</integer> it's just test profile, without difficult stuff, but it doesn't work too What is wrong?

Hi, I was looking for advice on the suitable mac to get for a web app development project for university . Would an Apple MacBook Air 2020 M1 8GB RAM 256GB SSD 13.3" macOS Big Sur, be sufficient ?? Or would I need a newer version !