Managed Settings

RSS for tag

Set restrictions for certain settings, such as locking accounts in place, preventing password modification, filtering web traffic, and shielding apps.

Posts under Managed Settings tag

105 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

allowWebDistributionAppInstallation and forcePreserveESIMOnErase require supervision discrepantly with documentation
We provide a MDM product. In our product, payloads and properties which require supervision display those requirements. Two properties forcePreserveESIMOnErase and allowWebDistributionAppInstallation of the restriction payload don’t require a supervised device according to the descriptions in Apple Developer Documentation. However, in our observation, those properties seem to require it. Are those OS bugs or documentation errors? (In which category should I submit a feedback?) Steps to reproduce Prepare a supervised device (I used an iPhone 12 mini with iOS 18.1) and a configuration profile contains the following restrictions: <!-- Does not require a supervised device --> <key>allowDiagnosticSubmission</key> <false/> <!-- Requires a supervised device --> <key>allowESIMModification</key> <false/> <!-- Does not require a supervised device according to its description --> <key>allowWebDistributionAppInstallation</key> <false/> <!-- Does not require a supervised device according to its description --> <key>forcePreserveESIMOnErase</key> <true/> Then, Install the profile with Apple Configurator. Confirm 4 restrictions are shown in Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions. Punch Settings > General > Transfer or Reset iPhone > Erase All Content and Settings, to unsupervise. Install the profile with Apple Configurator. It cannot be installed automatically because the device was not supervised. Manually install the downloaded profile. Check Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions. Expected results 3 restrictions—allowDiagnosticSubmission, allowWebDistributionAppInstallation and forcePreserveESIMOnErase—are shown. Actual results Only one restriction—allowDiagnosticSubmission—is shown. Appendix: Restriction keys and their restricted message shown in Settings allowESIMModification: eSIM modification not allowed forcePreserveESIMOnErase: Preserve eSIM on erase enforced allowWebDistributionAppInstallation: Web app distribution not allowed allowDiagnosticSubmission: Diagnostic submission not allowed
0
0
173
5d
Unable to Access Team ID and Account Login Issues
Hello everyone, I am a developer and admin on App Store Connect, and I'm experiencing some issues with my account. Here’s a summary of the situation: Account Email: [Redacted] Team ID: [Redacted] Upon visiting the resources page, I encountered a popup stating: Unable to find a team with the given Team ID to which you belong. Please contact Apple Developer Program Support. When I sought assistance from a account holder, they attempted to log in using the account email but were unable to access it, despite entering the correct credentials multiple times. The login page prompted them to enter the email or phone number and password for the Apple account. Currently, I admin can log into App Store Connect, but the account holder is unable to access their account. We are facing difficulties because the Team ID appears to be disabled or unavailable in Xcode. We still have an Individual Developer subscription, but we intend to upgrade to an Organization level. I submitted a request for "Organization Membership" earlier this month. After contacting Apple support helpline multiple times, we received inconsistent responses, including suggestions to create a new account or contact developer support via email. Our main issues are: The account holder is unable to log in. The Team ID is not functioning. If we cannot continue with the individual account, we are open to using a different email for the account holder, as he handle sensitive information such as verification and payments. I have already submitted my request and am opening this thread in hopes of finding a speedy solution and guidance. I've seen multiple threads on this issue, but none have provided a resolution. Any guidance or suggestions on how to resolve these issues would be greatly appreciated! Thank you!
0
0
98
1w
iOS 18 - Unable to receive files using AirDrop when "allowListedAppBundleIDs" restriction key is used
On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.
1
0
332
2w
managed settings pushed through dscl are not appearing in /Library/Managed Preferences/ empty on Sequoia
We are pushing some Chrome settings through Directory Services command line utility /usr/bin/dscl /usr/bin/dscl /Local/Default -mcximport /Computers/local_computer chrome_settings.plist /usr/bin/mcxrefresh -n root These commands created com.google.Chrome.plist in /Library/Managed Preferences on previous macOS versions. However on macOS 15.x Sequoia these commands intermittently fail to create the file in /Library/Managed Preferences though there is no error reported or any log entries that could indicate an error. There could be other component on Sequoia that is preventing directory services tool to push the preferences but I am unable to locate it. It is not MDM because the machines are not enrolled (also have a setup where dscl and MDM both work). This is happening on a clean macbook setup but I have never seen it happen on mac mini. Anyone have an idea what could be interfering with directory services to complete its task of pushing managed settings? DDM?
2
1
259
2w
iOS 18.1 - Shared iPad Wi-Fi picker
I work as the end user compute engineer at my employer. My test managed shared iPad Pro was on iOS 18.0.1 and from the sign in screen I was able to double click the lock/wake button twice to open the Wi-Fi picker. I upgraded it to the latest iOS 18.1 update and the Wi-Fi picker screen no longer comes up when double clicking the lock/wake button. Has this feature been removed? If so, this will pose a huge issue when it comes to new users signing in when not on a known Wi-Fi network.
1
0
227
3w
Apple Time Machine Sequoia 15.0.1
I have two time machines one is a western digital and the other is a Q Nap that ever since I upgraded to Sequoia, I cannot use. It’s an NAS device and Macke says that I have to contact the manufacturer of the product. They’re too old for me to contact them. My MacBook is new and it was working up until I had upgraded to Sequoia so I’m just trying to find out if that is a software glitch or an OS glitch. It is happening on both Max that I have so this is begging me the question that it’s an iOS update causation. It just sits and spins at the Time Machine preparing to back up and that is all that it does the first time it backed up probably until 25% and now it’s just doing this preparing to back up. I also have tried to wipe out the shares on both NAS machines and deleted the the files within the share to set it up again, and it still does not work.
2
0
238
4w
Difficulty blocking and scheduling with the Screen Time API
Hello, I'm currently facing some technical difficulties in implementing features related to application restrictions using the ScreenTime API. In our app, we allow users to set up restrictions for specific apps and app categories, with scheduled times and days (for example, Mondays and Thursdays, from 2pm to 5pm). The blocking sessions must run independently and simultaneously, allowing different sets of applications to be restricted at different times. However, I ran into two main problems: 1. Applying restrictions in the DeviceActivityMonitor extension: Although I can enable and disable restrictions, I haven't found an effective way to apply multiple FamilyActivitySelections directly in the DeviceActivityMonitor extension. The extension has to manage different blocking sessions independently, restricting different sets of applications and categories simultaneously or separately. I would like to know if it is possible to transmit this list of selected applications via UserDefaults or CoreData to the extension in order to facilitate this integra To better illustrate, here is a snippet of the code I am using: import Foundation import FamilyControls import ManagedSettings import DeviceActivity class AppBlockManager: ObservableObject { private let store = ManagedSettingsStore() private let center = DeviceActivityCenter() @Published var activitySelection: FamilyActivitySelection private var activityName: DeviceActivityName private var schedule: DeviceActivitySchedule init(selection: FamilyActivitySelection, activityName: DeviceActivityName, schedule: DeviceActivitySchedule) { self.activitySelection = selection self.activityName = activityName self.schedule = schedule } func startBlock() { do { try center.startMonitoring(activityName, during: schedule) if let applications = activitySelection.applications.isEmpty ? nil : activitySelection.applicationTokens { store.shield.applications = applications } if let categories = activitySelection.categories.isEmpty ? nil : activitySelection.categoryTokens { store.shield.applicationCategories = ShieldSettings .ActivityCategoryPolicy .specific(categories) store.shield.webDomainCategories = ShieldSettings .ActivityCategoryPolicy .specific(categories) } if let webDomains = activitySelection.webDomains.isEmpty ? nil : activitySelection.webDomainTokens { store.shield.webDomains = webDomains } } catch { print("Error starting monitoring: \(error)") } } func stopBlock() { store.shield.applications = nil store.shield.webDomains = nil store.shield.applicationCategories = nil store.shield.webDomainCategories = nil center.stopMonitoring([activityName]) } } Currently, this AppBlockManager is part of the main app target, not within the DeviceActivityMonitor extension, which is currently empty. With this configuration, I can only have one blocking session active at a time, and when it is deactivated, all restrictions are removed. I tried using different ManagedSettingsStore instances, each named individually, but without success. 2. Problems with scheduling restrictions: Currently, when setting up scheduled monitoring via DeviceActivitySchedule, the restrictions are activated immediately, ignoring the specific times scheduled (e.g. starting at 2pm and ending at 5pm). I need the schedule to work correctly, applying the restrictions only during the defined periods. Alternatively, I've considered running a background task that checks whether active sessions (up to a maximum of 3) should apply the restrictions at that time, but I'm still looking for a more suitable solution. In view of these challenges, I would like some guidance on the following points: What would be the best way to configure the DeviceActivityMonitor extension to receive and apply different FamilyActivitySelections, ensuring that the blocking sessions are independent and can run simultaneously? Is there a recommended approach to ensure that restrictions scheduled via DeviceActivitySchedule are applied and removed according to the times and days defined by the user, ensuring that applications are restricted only during the scheduled periods?
0
1
229
Oct ’24
ActivityCategoryPolicy.all(except: allowList) blocks all apps, even the ones that should be exempted
Hello fellow Screen Time developers! I have bee experimenting with the ActivityCategoryPolicy.all(except: allowList) API of the ManagedSettings framework in order to provide a digital detox feature to my app, where ALL apps would be blocked, except some important ones (phone, messages, maps). The apps to be exempted can be configured by the user via the FamilyActivitySelection(). However, I am experiencing a strange bug, where all apps are restricted / blocked, even the ones that are set to be exempted and are part of the allowList Set. Instead of not restricting allowed apps at all, these apps are restricted with a generic shield (screenshot below) – a concrete shield is not requested for them from my ShieldConfigurationDataSource. I have also filed a radar under this number, attached is a minimalistic sample project and video that shows how to reproduce this: FB15500605 (no response so far) I have also seen other people report on this issue, but couldn't find any useful information there: https://forums.developer.apple.com/forums/thread/750988 https://forums.developer.apple.com/forums/thread/762287 Thanks a lot for your help, and have a nice day!
2
1
240
2w
How to open parent app from `ShieldActionDelegate`
Hello, I think it is quite a common use-case to open the parent app that owns the ShieldActionDelegate when the user selects an action in the Shield. There are only three options available that we can do in response to an action: ShieldActionResponse.none ShieldActionResponse.close ShieldActionResponse.defer It would be great if this new one would be added as well: ShieldActionResponse.openParentApp While finding a workaround for now, the problem is that the ShieldActionDelegate is not a normal app extension. That means, normal tricks do not work to open the parent app from here. For example, UIApplication.shared.open(url) does not work because we can’t access UIApplication from the ShieldActionDelegate unfortunately. NSExtensionContext is also not available in the ShieldActionDelegate unfortunately, so that’s also not possible. There are apps however, that managed to find a workaround, in my research I stumbled across these two: https://apps.apple.com/de/app/applocker-passcode-lock-apps/id1132845904?l=en-GB https://apps.apple.com/us/app/app-lock/id6448239603 Please find a screen recording (gif) attached. Their workaround is 100% what I’m looking for, so there MUST be a way to do so that is compliant with the App Store guidelines (after all, the apps are available on the App Store!). I had documented my feature request more than 2 years ago in this radar as well: FB10393561
2
1
303
Oct ’24
ShieldConfiguration does not update when token is moved from one store to another (while app in foreground)
Hello fellow Screen Time Fans! I am encountering a strange problem since I started working with the Screen Time framework, and I don’t know what I’m doing wrong: Imagine the app has two ManagedSettingsStores: one to block apps during work hours (let’s say from 9am to 5pm) and one to block apps in the evening (let’s say from 5:30pm till midnight). Imagine, the user has blocked Instagram in both. When the user has Instagram open at 4:59pm it shows the Block during Work Hours Shield (so far, so good). At 5pm, the shield is removed, and the user can use Instagram. Then, at 5:30 the a shield is activated again: this time, the Instagram token is added to the evening store. However, there is no new ShieldConfiguration requested from the ShieldConfigurationDataSource. Instead, the previous shield from the work hour block is re-used and shown. To me, it appears that the Framework does not request new shields, when the token is moved from one store to another while the app remains in foreground. The Shield is only re-rendered when the user closes the shielded app and re-opens it. This is really confusing behavior and I would like to fix it. Did anyone here encounter something similar, and has a suggestion or workaround? My feedback is also documented in FB14237883.
1
0
214
Oct ’24
Core Data not returning results in ShieldConfiguration Extension, but works fine in other extensions
Hi everyone, I’m using Core Data in several extensions (DeviceActivityMonitor, ShieldAction, and ShieldConfiguration). It works perfectly in DeviceActivityMonitor and ShieldAction. I’m able to successfully fetch data and log the correct count using a fetch request. However, when I try the same setup in the ShieldConfiguration extension, the fetch request always returns 0 results. The CoreData and App Group setup appears to be correct since the first two extensions fetch the expected data. I’ve also previously tested storing the CoreData objects separately in a JSON-FIle using FileManager and it worked without issues—though I’d prefer not to handle manual encoding/decoding if possible. The documentation mentions that the extension runs in a sandbox, restricting network requests or moving sensitive content. But shouldn’t reading data (from a shared App Group, for instance) still be possible within the sandbox, as it is the case with the Files, what is the difference there? In my case, I only need to read the data, as modifications can be handled via ShieldActionExtension. Any help would be greatly appreciated!
2
0
262
Oct ’24
Apple Account Primary Address to Alias Change
Hello all, I recently shared a post to Reddit r/iCloud "Apple Alias Converted to Primary Apple Account" about an experience I had with changing my primary iCloud address to my alias after a name change. All the outlets have picked up on this story which may be misleading. I was under the impression this may be a bug, and now everyone's replicating this process without precaution. My question to the amazing Apple Developers and potentially Apple as well: Is the ability to change your Primary Apple Account to an Apple Alias (permanently) a known, previously discussed, upcoming feature? All Apple docs & support state otherwise. Really just seeking confirmation and I greatly appreciate expert input. Also happy to change Tags based on feedback (if possible). Thanks all! Caol
0
0
210
Oct ’24
Deleting a message on Apple Watch is now deleting messages on iPhone
Can someone confirm this is supposed to be happening after all these years. I have noticed that now when I delete the messages from my Apple Watch (IOS11) they are now deleting from my phone (IOS18). I was glad I noticed and was able to recover them but I almost lost some impoRyan messages. I did do a test and confirm this is true. But the question is, is this supposed to be happening and if so is there a way to disable only this sync? I like to try and keep the messages icon on the watch clean since when I read the messag on my phone it does sync read on the watch and leaves the unread number on the icon.
2
0
281
Sep ’24
Managed Apple ID - Testflight not useable
Hi, I run a midsize business. Apple recommends for company owned devices and for other reasons to use Apple Business managed Apple IDs for the employees. After that, you have to use a MDM System for e.g. deploying apps and licenses. Testflight is an app that can be deployed too. But....Testflight can not more than to say "Hello" on a managed device. The use of Testflight and to test our developed apps is not possible with a managed ID. Can anyone explain to me this thinking or what is recommended than. Setting up a private Apple ID for that purpose...which on the other hand, Apple do not want or does not recommend.
1
1
523
Sep ’24
Checking Equality of ApplicationToken Instances in Swift
Hi everyone, I'm working on a Swift application and trying to determine whether an application has exceeded its limit based on an ApplicationToken. I have the following function to check if the current app's token matches any of the tokens stored when the app limit is reached: private func isAppLimitExceeded(for application: Application?) -> Bool { guard let application = application, let appToken = application.token else { return false } let exceededTokens = configManager.getAppLimitExceededTokens() return exceededTokens.contains { exceededToken in appToken == exceededToken } } The function configManager.getAppLimitExceededTokens() returns a list of [ApplicationToken] that were saved in UserDefaults when an app limit is reached. The goal is to use the isAppLimitExceeded method to verify if the current shield for the app is triggered due to a limit/threshold being exceeded. This function is part of a class that conforms to the ShieldConfigurationDataSource protocol: class ShieldConfigurationExtension: ShieldConfigurationDataSource { // ... } My concern is whether comparing two ApplicationToken instances using == is a reliable method for determining if they are equal. Are ApplicationToken objects guaranteed to be comparable with == out of the box, or do I need to implement Equatable or another method of comparison? Could there be issues with tokens stored in UserDefaults not matching due to reference or serialization differences? Any guidance on how to ensure proper comparison of these tokens would be appreciated! Thanks!
2
0
374
Sep ’24
Do we need a server to use the Screen Time API?
I want to create an app to control a child's device. As I understand it, I need to follow this logic: I have one app for both the child and the parent. For the child, I request authorization with the following code: try await AuthorizationCenter.shared.requestAuthorization(for: .child) For the parent, I show functions like: familyActivityPicker Are these settings automatically applied to the child's device, or do I need to send a silent push notification to apply the new settings? Additionally, how can I get statistics from the child's device to the parent's device?
1
1
360
Sep ’24
Can you call the ManagedSettings framework from your main app?
I am working on a screen time app that helps individuals shield distracting apps and web content. Assuming one is granted the Family Controls entitlement and a user accepts the Family Controls authorization request, can you call the ManagedSettings framework from your main app? Is this framework only allowed to be used within the context of a Device Activity Monitor Extension? I'm unsure if this type of usage will result in an instant rejection from App Review?
0
0
375
Sep ’24
Application Tokens from Bundle Identifier
Hello! I've been doing a lot of work with ApplicationTokens, but there is very little documentation. While Apple gives you the FamilyAcitvitiesPicker to get tokens of apps on an iPhone, I need to get the tokens of apps that aren't on the phone. Example: Someone can select Instagram even though they don't have it downloaded. Then the application token will get sent to a server. Then a different person who does have Instagram on their phone will receive the token and it will do something with that application. Because FamilyActivitiesPicker can only select apps on the iPhone that it is running on, FamilyActivitiesPicker is useless to me, leading to my problem: Creating an ApplicationToken without FamilyActivitiesPicker This documentation says that I can create an Application (and thus an ApplicationToken) from the bundle identifier init(bundleIdentifier: String) Creates an object that represents the app with the specified bundle identifier. However, when I try to use this to get instagrams(or any apps) token, it returns nil every time! So, finally, my questions: How do I correctly use this initializer to create an ApplicationToken? Or, if this won't work for my purposes Are the ApplicationTokens created by FamilyActivitiesPicker the same across all devices no matter what?
2
0
490
Aug ’24