As we know, we can't add restrictions payload in the mobileconfig when registing the device. We are developing MDM by ourselfs, met some trouble. Please help.

We’re exploring the use of Apple’s Automatic Assessment Configuration entitlement for an iOS app currently in the proof-of-concept stage. We’re enrolled in the Apple Developer Program with an active subscription. Both the Account Holder and team members have accepted all relevant license agreements. However, when we try to access the entitlement request form at: 👉 https://developer.apple.com/contact/request/automatic-assessment-configuration/ We are immediately redirected to: 🚫 https://developer.apple.com/unauthorized/ This happens for all team members, including the Account Holder, so it doesn’t appear to be a role-specific permissions issue. The app is still in the proof-of-concept stage — there’s no App Store listing or App ID yet. We’re trying to confirm entitlement eligibility before proceeding further. Questions: Is an App Store listing or App ID required to access this request form? Are there any hidden prerequisites (account permissions, team roles, prior submissions, etc.) that need to be fulfilled? Has anyone here successfully submitted this form — and if so, what steps or conditions were required? Any guidance or shared experience would be greatly appreciated. Thanks in advance!

Hi I am trying to develop Apple MDM solution as a vendor. I got the Vendor certificate from apple developer portal. When I was trying to generate the csr and upload to Portal (https://identity.apple.com/pushcert/) It says Invalid Certificate Signing Request. I had also tried to follow documentation (https://developer.apple.com/documentation/devicemanagement/setting-up-push-notifications-for-your-mdm-customers) but still the same error. Can anyone please guide how to generate the csr.

Attempts to programmatically update or add numerous system-installed certificates (a common practice for organizations that rotate certificates regularly) are blocked, forcing manual, insecure, and error-prone workarounds. The root cause lies in the stricter security protocols implemented in macOS 15, specifically: System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) Command we are using : sudo security authorizationdb write com.apple.trust-settings.admin

I desperately need help with this issue. Are there any known issues regarding MDM profiles not installing on iPhone 17? Too many cases are being reported.

Subject: Questions Regarding Signing Certificates for MDM Configuration Profiles Dear all, I hope this message finds you well. I have some questions regarding the signing certificates used for MDM configuration profiles. Currently, our company uses an SSL certificate to sign MDM configuration profiles. However, with the announcement that the validity period of SSL certificates will gradually be shortened starting in 2026, we are considering alternative options for signing certificates. Through our internal testing and investigation, we have found examples of the following certificate chains being used: ・Developer ID - G1 (Expiring 02/01/2027 22:12:15 UTC) + Developer ID Application certificate chain ・Apple Root CA + Apple Worldwide Developer Relations Intermediate Certificate + MDM CSR certificate chain We would appreciate any insights or experiences you can share regarding the following points: Apple Support previously advised that "certificates issued by public certificate authorities (CAs) trusted by Apple" are recommended. The certificates listed at https://www.apple.com/certificateauthority/ are typically preinstalled on Apple devices. Are these considered "trusted public CAs" by Apple in this context? Is it acceptable in practice to use a certificate obtained from the “Certificates, Identifiers & Profiles” section on developer.apple.com for signing MDM configuration profiles? We would be grateful to hear about any real-world experiences. If the answer to question 2 is yes, which certificate type within “Certificates, Identifiers & Profiles” would be most appropriate for signing configuration profiles? If using certificates from question 2 is not suitable, are there alternative certificate types (other than SSL) that are valid for longer periods (e.g., more than one year) and appropriate for signing MDM configuration profiles? Apple's official documents do not seem to clearly specify what type of certificate should be used to sign MDM configuration profiles. If you know of any helpful documents or resources related to this topic, we would greatly appreciate it if you could share them. Thank you very much for your time and support. We would truly appreciate any advice or guidance you can provide.

I originally posted here & was referred to post in developer forumsn. https://discussions.apple.com/thread/256036430?login=true&sortBy=rank&answerId=261319559022 There has to be someone else out here that's gone through this. I've tried everything I can think of, forums, reddit, Microsoft documentation.... just can't find any clear cut method of doing this. I'm working on an InTune Mobile App Protection Policy. I know there are going to be some VPs out there asking why they can't use native iOS Apps, especially Apple Calendar, Contacts & Mail. I have not been able to get anywhere, I always end up with this error. Things I've tried: Allow sync of native apps with work account Putting in app exemptions (But I don't truly know if I know if I have the right values for this and there's no simple way of getting it from what I've seen. Having to download app to PC, finding config files, finding specific values.... that people say are hit or miss). Allow data transfer of ALL Apps What am I missing here? I'm pretty much giving up and just going to say sorry, you can't use Native apps.. Period! Anyone have any experience with this, especially for Mail, Calendar & Contacts? Thank you for anyone that can offer advice on this.

We are trying to develop an app that will be responsible for managing 5000+ managed iPads through Intune MDM. The user flow is to have a device locked to a single app when a user is not logged in, but to make the device available to other apps once a user is authenticated. We already tried UIAccessibility GuidedAccess Mode and autonomous single app mode but those were not sufficient due to our need to be able to toggle this from the background. When the device may be asleep. So another way we could achieve this functionality would be to control all app access under a launching mechanism. That way we could allow one app to be visible in our MDM configuration and try to access our business app through that using deep links. If this were to work, we would have to be able to hide an app and still make it launchable from the manager. Any ideas? Thanks

The result Plist for the InstalledApplicationList MDM command is reporting duplicate Application identifiers. Sometimes with different version, other times with the same version. The device is MacOS 15.5, Enrolled via ABM (Supervised). Here are a couple samples from the returned list. Duplicate app: <key>BundleSize</key> <integer>398051</integer> <key>Identifier</key> <string>com.adobe.Acrobat.NativeMessagingHost</string> <key>Installing</key> <false/> <key>Name</key> <string>NativeMessagingHost</string> <key>ShortVersion</key> <string>5.0</string> <key>Version</key> <string>5.0</string> </dict> <dict> <key>BundleSize</key> <integer>398051</integer> <key>Identifier</key> <string>com.adobe.Acrobat.NativeMessagingHost</string> <key>Installing</key> <false/> <key>Name</key> <string>NativeMessagingHost</string> <key>ShortVersion</key> <string>5.0</string> <key>Version</key> <string>5.0</string> </dict> Different Version: <key>BundleSize</key> <integer>4197200</integer> <key>Identifier</key> <string>com.adobe.adobe_licutil</string> <key>Installing</key> <false/> <key>Name</key> <string>adobe_licutil</string> <key>ShortVersion</key> <string>11.0.0.39</string> <key>Version</key> <string>11.0.0.39</string> </dict> <dict> <key>BundleSize</key> <integer>4443177</integer> <key>Identifier</key> <string>com.adobe.AcroLicApp</string> <key>Installing</key> <false/> <key>Name</key> <string>AcroLicApp</string> <key>ShortVersion</key> <string>25.001.20432</string> <key>Version</key> <string>25.001.20432</string> </dict> <dict> <key>BundleSize</key> <integer>7380980</integer> <key>Identifier</key> <string>com.adobe.adobe_licutil</string> <key>Installing</key> <false/> <key>Name</key> <string>adobe_licutil</string> <key>ShortVersion</key> <string>10.0.0.274</string> <key>Version</key> <string>10.0.0.274</string> </dict>

I'm using Apple's MDM protocol InstalledApplicationListCommand to get information about installed apps. From iOS/iPadOS 26, the app information obtained by InstalledApplicationListCommand includes information on all apps including system apps (apps that come standard with iOS/iPadOS). https://developer.apple.com/documentation/devicemanagement/installed-application-list-command I want iOS/iPadOS26 to get the same information as the app information I get from the previous iOS/iPadOS, and I want to exclude system apps from the app information I get with the InstalledApplicationListCommand. As a way to exclude system apps, you can use the app ID I'm thinking of a way to exclude anything that starts with "com.apple" (the Identifier key value of the InstalledApplicationListResponse.InstalledApplicationListItem object). As a way to exclude system apps, please tell us whether the above method is appropriate and whether there will be any problems in the future.

Steps to Reproduce Step 1: Fetch Initial Device List Called the device list endpoint to retrieve all devices and saved the cursor: GET https://mdmenrollment.apple.com/server/devices Step 2: Modify Devices Added and deleted several devices via https://business.apple.com/ Step 3: Sync Without Pagination Called the sync endpoint using the cursor from Step 1 (no limit): GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor} Result: Returned 3 device records as expected: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" }, { "serial_number": "F70JJ4C16L", "op_type": "deleted", "op_date": "2025-12-11T07:04:36Z" }, { "serial_number": "C8RWGXZXJWF5", "op_type": "deleted", "op_date": "2025-12-11T07:04:52Z" } ], "more_to_follow": false } Step 4: Sync With Pagination (First Page) Called the sync endpoint using the same cursor from Step 1 with limit=1: GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor}&limit=1 Result: Returned 1 record with more_to_follow: true — indicating more data exists: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" } ], "more_to_follow": true, "cursor": "MTowOjE3NjU0MzgyNDI5ODc6..." } Step 5: Sync With Pagination (Second Page) Called the sync endpoint using the cursor from Step 4 with limit=1: { "devices": [], "more_to_follow": false } Expected Behavior When paginating with limit=1, the API should return all 3 records across 3 sequential requests. Actual Behavior Without pagination: Returns 3 records ✓ With pagination (limit=1): Returns only 1 record, then empty array ✗ 2 records are missing when using pagination. Impact This inconsistency makes the sync API unreliable for incremental device synchronization workflows.

Environment Devices: e.g., iPhone 12 mini, iPhone 16 (multiple units) OS: iOS 26 beta 2 and beta 4 (23A5297m) Distribution: Apple Enterprise Program (In-House), deployed via MDM InstallApplication Tooling: Xcode (latest available for iOS 26 betas) Summary Apps signed for Enterprise (In-House) distribution install successfully on iOS 26 betas via MDM, but terminate immediately on launch. The same builds run if installed from Xcode on the same devices. This is a regression from pre-iOS 26 versions where Enterprise builds installed via MDM launched normally. Steps to Reproduce Archive an iOS app and export for Enterprise (In-House) distribution. Deploy the .ipa via MDM using InstallApplication to a device on iOS 26 beta (e.g., 23A5297m). Tap the app icon to launch. Actual Result The app quits instantly on launch. System logs show launchd/runningboard errors, including NSPOSIXErrorDomain Code=85 (“Bad executable (or shared library)”): runningboardd(RunningBoard)[34]: Process start failed with Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" UserInfo={NSLocalizedDescription=Launchd job spawn failed} runningboardd(RunningBoard)[34]: Launch failed with Error Domain=NSPOSIXErrorDomain Code=85 "Bad executable (or shared library)" SpringBoard(FrontBoard)[35]: Bootstrapping failed ... NSUnderlyingError = { NSLocalizedDescription = Launchd job spawn failed; } Expected Result Enterprise-signed builds installed via MDM should launch as they did on iOS 25.x and earlier. Regression? Works on iOS versions prior to 26. Works on iOS 26 betas when installed from Xcode (developer-signed run). Fails only for Enterprise (In-House) builds delivered via MDM. Additional Notes / Possibly Related We also reproduced a similar failure mode with a minimal Safari Web Extension project: it installs and appears under Settings → Safari → Extensions, but enabling it and opening Safari produces: “ is no longer available.” Building a fresh project with a new bundle ID shows the same behavior on iOS 26 beta (23A5297m). Logs contain: Error occurred during transaction: The provided identifier "" is invalid. Running from Xcode (debug build) works. Workarounds None identified for Enterprise/MDM distribution. Only Xcode-installed builds run. Impact Blocks Enterprise deployment to our fleet on iOS 26 betas. Feedback / Attachments Included: sysdiagnose from an affected device, minimal Xcode project demonstrating the issue, Enterprise-exported app, and reproduction notes. Happy to share additional logs or perform targeted tests if needed. Request Can Apple confirm whether this is a known regression vs. a policy/validation change in iOS 26 for Enterprise/MDM installs? Any guidance on a short-term mitigation or build/signing change we can apply would be appreciated.

I am trying to find clarification on something. We are seeing strange cases where customer devices seem to unenroll themselves after a period of MDM inactivity. This seems to tie into roughly when their identity certificate has expired. We can't confirm this because the device has since unenrolled. Is there any case where an Apple device will automatically unenroll if it's identity certificate has expired? This doesn't always seem to happen - I had a device respond immediately after being switched off for a year - but could this be down to some devices being DEP enrolled and others manually enrolled?

Issue - Safari application not fetched from system_profile command Use case - We are trying to get list of installed applications in the mac. For this we use System_profiler command to fetch the details list. It is working good, but the thing is , It doesnt fetch Safari app as an installed Application. Command used - **/usr/sbin/system_profiler SPApplicationsDataType** Can anyone suggest any other way to fetch the installed applications list from the mac , which includes all the apps (including safari app) and remains effective ?

Hello, I would like to ask a question regarding documentation related to app sales. Currently, I’m researching the sales process for an app and realized that I lack sufficient understanding when it comes to creating official documents such as estimates, invoices, and receipts — especially when dealing with corporate clients. In our company’s case, we can issue documents based on the net revenue (after platform fees are deducted). However, when issuing these documents to a client, would it be more appropriate to include a breakdown showing both the platform fee and the app usage fee? I would greatly appreciate any insights or examples of how others have handled similar situations. Thank you in advance.

We’ve run into what looks like a gap in how forceAirDropUnmanaged is enforced on iOS devices. Setup: Device: iOS 17.x (unsupervised, enrolled in MDM) MDM Restriction: forceAirDropUnmanaged = true Managed Open-In restriction also applied (block unmanaged destinations). Verified: from a managed app, the AirDrop icon is hidden in the share sheet. This part works as expected. Issue: When two iOS devices are brought close together, the proximity-initiated AirDrop / NameDrop flow still allows transfer of photos, videos, or files between devices. In this path, forceAirDropUnmanaged does not appear to apply, even though the same restriction works correctly in the standard sharing pane. What I’d expect: If forceAirDropUnmanaged is enabled, all AirDrop transfer paths (including proximity/NameDrop) should be treated as unmanaged, and thus blocked when “Managed Open-In to unmanaged destinations” is restricted. What I observe instead: Share sheet → AirDrop hidden ✅ Proximity/NameDrop → transfer still possible ❌ Questions for Apple / Community: Is this a known limitation or expected behavior? Is there a different restriction key (or combination) that also covers proximity-based AirDrop? If not currently supported, should this be filed as Feedback (FB) to request alignment between share sheet AirDrop and NameDrop enforcement? This behaviour introduces a compliance gap for organisations relying on MDM to control data exfiltration on unsupervised or user-enrolled devices. Any clarification or guidance would be greatly appreciated.

ReferenceError: ReadableStream is not defined at Object. (/Users/anaadmin/Documents/AnaNewApp/node_modules/@expo/cli/node_modules/undici/lib/web/fetch/response.js:528:3) at Module._compile (node:internal/modules/cjs/loader:1198:14) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1252:10) at Module.load (node:internal/modules/cjs/loader:1076:32) at Function.Module._load (node:internal/modules/cjs/loader:911:12) at Module.require (node:internal/modules/cjs/loader:1100:19) at require (node:internal/modules/cjs/helpers:119:18) at Object. (/Users/anaadmin/Documents/AnaNewApp/node_modules/@expo/cli/node_modules/undici/lib/web/fetch/index.js:11:5) at Module._compile (node:internal/modules/cjs/loader:1198:14) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1252:10) After trying out all suggestions and different versions of tools such as XCode, nvm, yarn, node, etc., nothing works for me i added : <PROJECT_PATH>/node_modules/@langchain/core/dist/utils/stream.cjs - add const { ReadableStream } = require("web-streams-polyfill"); npm install web-streams-polyfill Tried downgrading to Node 18 as well as various polyfills but haven't been able to get it to work Following does not work in xcode Delete your Podfile.lock (I like to use the command '-rm -rf Podfile.lock' on the terminal for this) Delete your Pods folder (I like to use the command '-rm -rf Pods' in the terminal for this) Delete your .xcworkspace Pod install Clear your project into XCode> Product> Clean Build Folder i have tried cd ios pod install Continuously i am getting same error. Any one know, how to resolve this error

Hello, I am an iOS developer managing an MDM app. In this app, we are only using the camera restriction feature. Can the MDM status (specifically, the camera state) be changed while the user's screen is locked? We want to communicate with our server in the background and apply changes, but there is no known information about this. I would appreciate your help!

I am using system_profiler command to check on the installed application list from mac device. **Terminal command to check installed java version - ** But while running /usr/sbin/system_profiler SPApplicationsDataType -xml , I cant able to find Java as an installed application. Is this a known issue or do we have any alternative workaround to fetch the same?

Hello guys, I wanted to reach out to see if any of you have experienced or come across an issue we are facing in our organization. We are encountering a campus-wide problem where Macs are take an unusually long time to delete files on external drives formatted with ExFAT. We manage these Macs through Jamf Pro, and numerous policies are applied when the devices are enrolled. We have tested the issue in both scenarios—when the Macs are connected to the domain and when they are not—and the slow deletion persists in both cases. At this point, we are unsure whether the issue lies on our end or if it is related to the operating system itself. If anyone has found a fix or workaround for this problem, we would appreciate your input.