We have a development where we are MDM managing iOS devices and attempting to enforce mutual TLS for all interactions with the MDM. We are DEP provisionng an enrolment profile that utilises an ACME hardware attested Device Identity Certificate. All interactions with the MDM endpoints are correctly utilising the ACME certificate for the client mutual TLS handshake. The certificate has Client Authentication Extended Key Usage.
Behind the same API gateway and on the same SNI we are also serving paths to Enterprise application manifests and IPAs. We can see from the phone log and from packet traces the iOS device doesn't offer the Device Identity Certificate for client authentication when retrieving these URLs. We have also tried adding non ACME client certificates from the root trusted by the server to the initial profile with exactly the same outcome.
If we temporarily disable the mutualTLS we can see that the request for the manifest has a userAgent of
"com.apple.appstored/1.0 iOS/18.2 model/iPhone17,3 hwp/t8140 build/22C5125e (6; dt:329) AMS/1"
which is not the same as the mdm interactions. Is it actually possible to achieve mutualTLS to authenticate these downloads or is a different solution required ?
Any advice greatly appreciated.
Explore the intersection of business and app development. Discuss topics like device management, education, and resources for aspiring app developers.
Post
Replies
Boosts
Views
Activity
Dear Apple Team,
As an MDM (Mobile Device Management) service provider, we are writing to bring attention to an issue that is affecting many of our customers who manage large fleets of iOS devices. Specifically, we have encountered challenges with the app update process via MDM, which is impacting both kiosk devices and non-kiosk devices in a variety of use cases.
Issue 1: App Updates Delayed on Kiosk Devices
Many of our customers are deploying kiosk devices that are used 24/7 independently with no attendants. In these cases, when an app update is sent through MDM via the installApplication command, the installation does not begin immediately. Instead, the update starts only after the device is locked. However, since these kiosk devices are running continuously, they are rarely locked, preventing the app update from occurring.
To force the update, administrators need to manually remote lock or physically lock the device, which is a time-consuming process. This becomes even more challenging for devices like Apple TV, where remotely locking and unlocking the device to complete app updates is especially difficult, making it hard to keep the apps up to date in a timely manner.
Issue 2: User Cancellations of Critical Updates on Non-Kiosk Devices
In the case of non-kiosk devices, customers are encountering another challenge: when a critical update is pushed during business hours, users are often prompted to install the update. However, many users tend to cancel the update, leaving devices unpatched and potentially vulnerable. This behavior can delay the deployment of important security patches, which is a critical concern for organizations managing sensitive data or business-critical apps.
Request for a Solution
Our customers have expressed the need for a more reliable and forceful app update mechanism. Specifically, we are requesting the following features to improve the app update experience:
Scheduled app updates: The ability to schedule app updates, similar to the way OS updates are handled. If the user does not install the update within a specified timeframe, the update should begin automatically or prompt the user with a stronger reminder.
Force install option: A feature that would allow MDM administrators to force an app update immediately, without relying on user intervention. This would ensure that critical updates are installed promptly, improving security and system stability across all devices.
These features are essential for many of our customers who rely on timely and consistent app updates to maintain security, functionality, and compliance across their managed devices. Without these options, they face challenges in ensuring devices are kept up-to-date, which can result in security vulnerabilities and operational disruptions.
We kindly request that Apple consider adding these functionalities to improve the MDM app update process and provide a more reliable experience for both kiosk and non-kiosk device management.
Thank you for your attention to this matter. We look forward to your feedback and any potential improvements in future iOS updates.
Raised in the same manner as feedback: FB15910292
Hello
We extend the program every year, but after we sent a request for extension we do not receive a response. Our program is ending 23 november and we really need to extend it. We created 2 requests, but we did not receive a response to them either. How can we speed up the decision?
Would it be possible to prevent deletion of specific apps on iOS devices using MDM.
We have an app that is unfortunately in business mode. It is impossible for customers to search. We want to make it public for the convenience of users. We have submitted 2 new apps with new bundler id, both return the same answer: bussines 3.2 and no advice.
Any comments are welcome. Please help us.
We provide a MDM product.
In our product, payloads and properties which require supervision display those requirements.
Two properties forcePreserveESIMOnErase and allowWebDistributionAppInstallation of the restriction payload don’t require a supervised device according to the descriptions in Apple Developer Documentation.
However, in our observation, those properties seem to require it.
Are those OS bugs or documentation errors?
(In which category should I submit a feedback?)
Steps to reproduce
Prepare a supervised device (I used an iPhone 12 mini with iOS 18.1) and a configuration profile contains the following restrictions:
<!-- Does not require a supervised device -->
<key>allowDiagnosticSubmission</key>
<false/>
<!-- Requires a supervised device -->
<key>allowESIMModification</key>
<false/>
<!-- Does not require a supervised device according to its description -->
<key>allowWebDistributionAppInstallation</key>
<false/>
<!-- Does not require a supervised device according to its description -->
<key>forcePreserveESIMOnErase</key>
<true/>
Then,
Install the profile with Apple Configurator.
Confirm 4 restrictions are shown in Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions.
Punch Settings > General > Transfer or Reset iPhone > Erase All Content and Settings, to unsupervise.
Install the profile with Apple Configurator. It cannot be installed automatically because the device was not supervised.
Manually install the downloaded profile.
Check Settings > General > VPN & Device Management > PayloadDisplayName > Restrictions.
Expected results
3 restrictions—allowDiagnosticSubmission, allowWebDistributionAppInstallation and forcePreserveESIMOnErase—are shown.
Actual results
Only one restriction—allowDiagnosticSubmission—is shown.
Appendix: Restriction keys and their restricted message shown in Settings
allowESIMModification: eSIM modification not allowed
forcePreserveESIMOnErase: Preserve eSIM on erase enforced
allowWebDistributionAppInstallation: Web app distribution not allowed
allowDiagnosticSubmission: Diagnostic submission not allowed
I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child.
Here’s what I’d like to achieve:
App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones.
Time Limits: Set daily usage limits for individual apps or app categories.
Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps.
Remote Management: Manage these settings remotely from my device for added convenience.
Activity Monitoring: View app usage stats or receive alerts for policy violations.
I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations.
I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on:
Enrolling a personal or family-owned device into Apple Business Manager.
Linking an MDM for configuring app restrictions and monitoring usage.
Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations!
Thanks in advance for your insights!
I’m looking for advice on implementing an Active Supervision Mode for enhanced parental control. My goal is to restrict access to both iOS system apps and third-party applications to create a safer and more tailored digital experience for my child.
Here’s what I’d like to achieve:
App Restrictions: Block specific apps (both iOS and third-party) and allow access only to approved ones.
Time Limits: Set daily usage limits for individual apps or app categories.
Content Filtering: Apply restrictions to block inappropriate content and age-inappropriate apps.
Remote Management: Manage these settings remotely from my device for added convenience.
Activity Monitoring: View app usage stats or receive alerts for policy violations.
I understand that Screen Time on iOS offers basic parental controls, but I’m exploring whether iOS supports more advanced capabilities natively or through additional configurations.
I’ve also heard that enrolling a device in Apple Business Manager (ABM) and linking it to an MDM (Mobile Device Management) solution might provide greater control. If this is a viable solution, could anyone provide guidance on:
Enrolling a personal or family-owned device into Apple Business Manager.
Linking an MDM for configuring app restrictions and monitoring usage.
Alternatively, if there are third-party parental control apps that work seamlessly with iOS to achieve these goals, I’d appreciate your recommendations!
Thanks in advance for your insights!
Hey,
If I were a PhD student enrolled at an accredited academic institution, would I still be eligible to participate in the Swift Student Challenge?
Thank you!
Hi,
I am currently a Phd student from CMU working on a XR project with Vision Pro. I found the latest released enterprise APIs can be really helpful for our project, especially the configuration of the object tracking provider.
However, I found a personal developer account can not access those APIs. And also it requires me to be a founder of the organization of the university when I try to update my account to an organization(CMU). I wonder is there any way to let the student still have a chance to try those fantastic APIs and some research based on them?
I really need those functions and I believe what I am working on is also going to be a great demo of the Vision Pro.
Thanks,
I am looking to do a deferred revenue recognition, is there anyone currently doing this process and if yes can I get the basic steps and reports that you use.
I assume the Subscriber report (daily)
Hello everyone.
Until macOS 14.x Sonoma, the Configuration Profiles, were hosted in System Preferences / Privacy & Security / Profiles.
Now, in macOS 15.x, they are hosted in System Preferences / General / Device Management.
The thing is, we need to hide this panel since it shows the initial password of a LAPS account to any user.
I have seen that in developer.apple.com in the Profile-Specific Payload Keys section, the object SystemPreferences have been Deprecated, and these are the ones we used until now to lock this panel, so it does not work anymore.
So that only the objects Restrictions works, in which it does not show any to block the Device Management panel.
Does anyone know how to hide/lock the new Device Management panel in System Settings?
Thank you very much!
Translated with DeepL.com (free version)
https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=1515995528&p=mdm-lockup&caller=MDM&platform=enterprisestore&cc=IN
return blank result when parameter platform=enterprisestore is added for india location
when platform=enterprisestore is removed for india location result is there.
https://uclient-api.itunes.apple.com/WebObjects/MZStorePlatform.woa/wa/lookup?version=2&id=1515995528&p=mdm-lockup&caller=MDM&cc=IN
Dear Apple,
Suggestions to rise tour TKDN in IS:
Make small components from ID, such as iPhone case,IPad case, etc
Continue with Productivity to build Apple Developer, recruiting local developer and headed by Apple developer
Train local technician to repair or replace some components from Apple device (off course they must be original parts).
I think it will fit 35% or more TKDN
p.s: someone in my family is interested to be Apple Dev, and increase skill from Android Dev
Hello Apple Support,
I'm reaching out in desperation, as my Apple Developer account was suddenly blocked without any prior notice. I'm writing from a different email address because I can't access my original account at all.
I've dedicated years of hard work, energy, and resources to build my applications and support my users through this platform. The sudden blocking of my account has not only put my business in jeopardy but also significantly impacted my personal life, as my income and livelihood heavily depend on it. The potential loss of revenue and the disruption to my users is devastating.
I’m deeply hurt and disheartened by the lack of communication and would appreciate any help to resolve this situation as quickly as possible. I kindly request guidance on how I can recover my account, or at the very least, understand why this action was taken.
Thank you for your attention to this matter. I’m hopeful for a quick resolution.
Hello
Is there any official source from Apple listing all their models with their respective specs (mainly storage and device color)?
Third party open source exist, but it's incomplete, and we'd like to use an official source.
EG https://theapplewiki.com/wiki/Models
No "ML9C3" in that site.
Hello Everyone,
I am completely new to programming, I have played with the Playgrounds app and I understand how some of the basic concepts work, however when going through "A Swift Tour" on developer.apple.com I struggle to understand a lot of the concepts presented.
Are there any resources that someone can recommend so I can continue to learn?
I tried just watching the video and searching the things I didn't understand, but I don't think I am learning much this way.
Today, I can no longer create a new version for my Apps. Getting "An error has occurred. Try again later"...
This has never happened to me before.
We use a profile that delays the installation of the new system in order to test it earlier.
Well Sequoia works differently and fails with our system, the manufacturer tells us to talk to Apple.
Does anyone have any idea about this?
My MDM is Mosyle
On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files.
The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed.
This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied.
Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device.
The expected result is that the accept prompt must pop up but it does not appear.
This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile.
Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc.
Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.