Finally got to the stage where the ACME certificate profile is successfully installed. However, the public key/certificate itself isn't appearing in the System Keychain. I'm not sure if this is normal or if it's an indication that something went wrong after the profile installation. Unfortunately, I didn't study the log detail at the time and I'm uncertain of how to retrieve those logs from two days ago for the ACME activities. Can anyone confirm that macOS 26 should be storing ACME-retrieved MDM profile-based certificates in the System Keychain? If they should be there, what can possibly go wrong? The most obvious issue I can see is that the ACME server has requested the certificate with two CN's, which comes from the MDM profile asking for the subject against CN and the OID (2.5.4.3). Both CN's are identical. I'm surprised the profile installed if something is wrong. At first, I assumed Apple had decided to stop installing the certificates into the System Keychain.

I originally posted here & was referred to post in developer forumsn. https://discussions.apple.com/thread/256036430?login=true&sortBy=rank&answerId=261319559022 There has to be someone else out here that's gone through this. I've tried everything I can think of, forums, reddit, Microsoft documentation.... just can't find any clear cut method of doing this. I'm working on an InTune Mobile App Protection Policy. I know there are going to be some VPs out there asking why they can't use native iOS Apps, especially Apple Calendar, Contacts & Mail. I have not been able to get anywhere, I always end up with this error. Things I've tried: Allow sync of native apps with work account Putting in app exemptions (But I don't truly know if I know if I have the right values for this and there's no simple way of getting it from what I've seen. Having to download app to PC, finding config files, finding specific values.... that people say are hit or miss). Allow data transfer of ALL Apps What am I missing here? I'm pretty much giving up and just going to say sorry, you can't use Native apps.. Period! Anyone have any experience with this, especially for Mail, Calendar & Contacts? Thank you for anyone that can offer advice on this.

We’re using the Apple Developer Enterprise Program for internal app distribution. The Apple ID is a generic one using our domain email, but the Account Holder is a real person with authority in the organization. For the payment method, we plan to use a corporate credit card — but it is issued under a different staff name (e.g. card under Chief, but Account Holder is IT Head). Just want to check: • Is this setup acceptable? • Will Apple reject the enrollment/renewal if the card name doesn’t match the Account Holder? • What’s the best practice in this case to avoid delays or verification issues? Appreciate any guidance or experience from the community. Thanks!

There is a longstanding restriction payload for supervised iOS devices that disables "Erase All Content and Settings." We have been experimenting with supervised watches paired with supervised phones that have that payload applied, and yet "Erase All Content and Settings" remains available on the watch. Is this: – a) An error with our payload? Should we be sending something else? – b) A bug in watchOS supervision? – c) A deliberate design choice? If so, what is the rationale for preventing organizations from maintaining this very basic level of control over devices they may be configuring and dispatching into the field?

Hello, We are currently deploying Apple devices in our organization using Apple Business Manager (ABM) and are looking for a long-term self-hosted MDM solution. We initially considered MicroMDM, but since official support will end in December 2025, we are evaluating NanoMDM. I would like to confirm: Is NanoMDM a stable and production-ready option for long-term use with Apple Business Manager and Automated Device Enrollment (ADE)? Does NanoMDM support all essential features like: Supervision Remote wipe App deployment Configuration profiles Are there any limitations or known issues with using NanoMDM? Are there any other open-source or lightweight MDM solutions Apple developers recommend that are actively maintained? We are aiming for a reliable, secure, and future-proof self-hosted MDM setup. Any guidance or shared experience would be greatly appreciated. Thanks, Vijay Pratap Singh

What is the proper payload for the FDEFileVault? Do I need to provide a user password in the payload to proceed with turning on the FileVault? Isn't that a privacy issue? Why UserEntersMissingInfo does not work for me? How to properly turn off FileVault - every try failed? Below I attach tested payloads and results. Test 1: Enable: "On" Result 1: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 2: Enable: "On" Username: "username on a device" Result 2: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 3: Enable: "On" Username: "username on a device" Password: "password of the user" Result 3: Success: FileVault turned On Test 4: After previously turning On FileVault successfully after restarting a machine. Enable: "Off" Result 4: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 5: Enable: "On" UserEntersMissingInfo: True Result 5: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 6: Enable: "On" Username: "username on a device" UserEntersMissingInfo: True Result 6: Error ErrorCode: -319 LocalizedDescription: The ‘FileVault Settings’ payload could not be installed. User authentication failed. Test 7: This is example payload from: https://developer.apple.com/documentation/devicemanagement/fdefilevault#Profile-Example Defer: True Enable: "On" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: False Result 7: Success: FileVault turned On Test 8: Same as test 4, but after turning on like test 7. Test 9: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: False Result 9: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 10: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: True Result 10: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 11: Defer: True Enable: "Off" ShowRecoveryKey: True UseKeychain: False UseRecoveryKey: True UserEntersMissingInfo: True DeferForceAtUserLoginMaxBypassAttempts: 0 Result 11: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help. Test 12: UserEntersMissingInfo: True Enable: "Off" Username: "username on a device" Result 12: Fail: FileVault didn't turn off, but the profile in settings updated. The machine restart didn't help.

Apple face app is used to fore video calling and chatting and voice calling AP same a what’s app tango etc…

Hello, I am building a Content Filter app for iOS and would like to get access to some information about network connections that are happening on the device. I managed to have the handle(_ report: NEFilterReport) method of my NEFilterControlProvider called, but the bytesOutboundCount and bytesInboundCount properties of the report are always 0. How can I have the real byte count of the connection ?

We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM. Formerly we could set the key-value using Settings MDM command like this. <dict> <key>Command</key> <dict> <key>RequestType</key> <string>Settings</string> <key>Settings</key> <array> <dict> <key>Configuration</key> <dict> <key>installation_token</key> <string>xxxxxxx</string> </dict> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> </dict> </array> </dict> We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this. <dict> <key>CommandUUID</key> <string>.............</string> <key>Settings</key> <array> <dict> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12008</integer> <key>ErrorDomain</key> <string>MDMErrorDomain</string> <key>LocalizedDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> <key>USEnglishDescription</key> <string>Could not modify apps managed by Declarative Device Management.</string> </dict> </array> <key>Identifier</key> <string>com.cloudflare.cloudflareoneagent</string> <key>Item</key> <string>ApplicationConfiguration</string> <key>Status</key> <string>Error</string> </dict> </array> How can we work with managed application configuration with DDM?

Hello, I am currently attempting to use declarative management to install enterprise application, however I am running into errors. Initially the device was failing to unpac the initial manifest it downloaded. After pulling logs from the device it was revealed that the manifest must include the bundle-version for it to parse as valid. Adding this has allowed for the ipa to be fetched from the server however there is a secondary issue. The application is on the device but is unable to be opened due to the device being unable to validate its integreti. Any additional information would be useful. For completion the working manifest will be pasted below. It should be noted that the manifest below does work when requesting application installs through MDM commands. <***> <items type="array"> <dict> <assets type="array"> <dict> <kind type="string">software-package</kind> <url type="string">https://domain/web/mdm/ios/enterpriseipa/bundle.id</url> </dict> </assets> <key type="dict" name="metadata"> <bundle-identifier type="string">bundle.id</bundle-identifier> <kind type="string">software</kind> <subtitle type="string">app</subtitle> <title type="string">app</title> <bundle-version type="string">x.x.x</bundle-version> </key> </dict> </items> </***> </plist>

ReferenceError: ReadableStream is not defined at Object. (/Users/anaadmin/Documents/AnaNewApp/node_modules/@expo/cli/node_modules/undici/lib/web/fetch/response.js:528:3) at Module._compile (node:internal/modules/cjs/loader:1198:14) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1252:10) at Module.load (node:internal/modules/cjs/loader:1076:32) at Function.Module._load (node:internal/modules/cjs/loader:911:12) at Module.require (node:internal/modules/cjs/loader:1100:19) at require (node:internal/modules/cjs/helpers:119:18) at Object. (/Users/anaadmin/Documents/AnaNewApp/node_modules/@expo/cli/node_modules/undici/lib/web/fetch/index.js:11:5) at Module._compile (node:internal/modules/cjs/loader:1198:14) at Object.Module._extensions..js (node:internal/modules/cjs/loader:1252:10) After trying out all suggestions and different versions of tools such as XCode, nvm, yarn, node, etc., nothing works for me i added : <PROJECT_PATH>/node_modules/@langchain/core/dist/utils/stream.cjs - add const { ReadableStream } = require("web-streams-polyfill"); npm install web-streams-polyfill Tried downgrading to Node 18 as well as various polyfills but haven't been able to get it to work Following does not work in xcode Delete your Podfile.lock (I like to use the command '-rm -rf Podfile.lock' on the terminal for this) Delete your Pods folder (I like to use the command '-rm -rf Pods' in the terminal for this) Delete your .xcworkspace Pod install Clear your project into XCode> Product> Clean Build Folder i have tried cd ios pod install Continuously i am getting same error. Any one know, how to resolve this error

Hi everyone, I want to enable Single App Mode (SAM) for my custom app that’s installed on the device. However, my device is not supervised. Is there any way to: Enable Single App Mode without supervising the device? Any guidance or workaround would be appreciated. Thanks, Arnab Lahiri

Hi There Our app is used in the hospital field and receives remote APNS via the Notification Service Extension. We found a scenario where screen is on, our app is in background, if a "Critical" notification is displayed as a banner at the top of the screen, subsequent normal notifications will be suppressed and no sound will play. Only after the user swipes away the critical notification will the normal notification appear and play a sound. is this as expected? I could not find any document on such case from Apple. Thanks.

Hi all, I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information. Are any of you able to get that somehow? Thanks!

Hello! I’m testing certificate issuance using a locally running Smallstep step-ca ACME server with the device-attest-01 challenge. I’ve created a custom MDM profile for this purpose. When I install the profile, the certificate is issued successfully, but it is not saved to the Keychain as stated in the documentation. I can only see the certificate via mdmclient or in the Wi-Fi settings dropdown menu. Is this expected behavior, or are there additional settings that need to be included in the MDM profile?

I am trying to correctly manage about 20 Mac, iPhones and PC inside a Wi-Fi network built through System Settings > Sharing > Internet Sharing To achieve this task I defined a complete configuration file: /etc/bootpd.plist which is used by /usr/libexec/InternetSharing. But every time /usr/libexec/InternetSharing is starting the file /etc/bootpd.plist is overwritten by another file and my configuration is thus fully lost. How to set a correct /etc/bootps.plist file and avoid its total overwrite by /usr/libexec/InternetSharing? Is it necessary to write this bootpd.plist in some other directory for /usr/libexec/InternetSharing to load it without destroying it? I got the same configuration total erase on macOS Big Sur and Sequoia.

We have created provisioning profile from apple developer account for our iPadOS app, the expiry date shown in the profile is 20-Aug-2026. However, when when I build the app with this provisional profile the expiry date shown in the app is 6-May-2026. My Certification expires on 2027. I see a embeded.mobileprovision profile inside the app, and it has an expiry of 6-May-2026. I did a clean build, cleared unnecessary profiles from profile folder, created a new provisional profile and tried, but nothing seems help. We have a few apps, and no other app has this issue, only those two apps have this issue. As the expiry date the shorten, we also need to special handle these two apps, Will you please help me to resolve this issue? Thanks.

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

We are experiencing a critical issue where VPP app installations are consistently taking an excessive amount of time, leading to significant delays in asset association. We are deployionThis is a systemic problem that affects all VPP apps, not just an isolated case. Apps: 39470db7-e475-4269-9709-c80641657027 => com.zimride.instant d0876900-2579-463e-99f1-b7c85ef5c5e8 com.microsoft.azureauthenticator Troubleshooting: We have performed extensive troubleshooting and can confirm the following: VPP Token: The VPP token has been successfully renewed and is currently active and valid. License Availability: We've verified that there are sufficient VPP licenses available for the apps being deployed. Device Status: We've attempted the following on the affected devices: Restarted the devices. Switched to different Wi-Fi networks. Uninstalled and re-installed the apps. App Status: The issue is not limited to a single app; all VPP apps are failing to install. License Revocation: We attempted to revoke and reassign licenses for some devices, but this did not resolve the issue. The app was not pushed, and the pending status remained. Troubleshooting: Through our internal investigation, we have determined that the core issue is that the Asset Association Status is consistently taking excessive time. This seems to be preventing the app installation queue from processing. We have observed a significant delay in the processing of events within the Notification Channel. The time between the event being created and a response being received is excessively long, indicating a potential backlog or issue. We have included a few recent examples below for your reference: Event ID: 39470db7-e475-4269-9709-c80641657027 com.zimride.instant Created Time: 2025-08-26 01:02:04 Response Time: 2025-08-26 01:34:05 Event ID: d0876900-2579-463e-99f1-b7c85ef5c5e8 com.microsoft.azureauthenticator Created Time: 2025-08-25 21:16:29 Response Time: 2025-08-25 22:21:07 We would appreciate your help in the following areas: Resolution: Could you provide any known solutions or workarounds for an asset association status that is taking excessive amount of time'? Best Practices: Are there any recommended best practices or additional parameters we should be checking with the MDM that might influence the queueing of VPP app assignments? Queueing Parameters: Could you provide insight into the parameters or conditions that can affect the queueing and processing of VPP app installations on Apple's servers? Please let us know if there is any additional information or logs we can provide.

I need to verify my domain for Apple Pay but I'm on Shopify. Domain: blissta.co File IS accessible: https://blissta.co/.well-known/apple-developer-merchantid-domain-association But verification fails because it's a redirect, not direct hosting. Shopify doesn't allow .well-known folder creation. Has anyone solved this? Need either: Way to make Apple accept redirects Shopify workaround for direct file hosting Manual verification from Apple Using Authorize.net gateway. Case #102711828925