Device Management

RSS for tag

Allow administrators to securely and remotely configure enrolled devices using Device Management.

Device Management Documentation

Post

Replies

Boosts

Views

Activity

App Custom URL to be blocked to Managed Apps only
My application supports Custom URL Schema which is used to perform an open operation. My application is used as a helper app for MDM, hence it will be installed as a Managed Application. I want only the other Managed Applications to be able to invoke the Custom URL Schema and not allow it for unmanaged applications. Is there any such provision provided by Apple MDM protocol?
1
0
462
Jun ’24
Hidden note in macOS 15b1 and iOS 18b1 release notes
Hi All, I'm trying to figure out why there's something tucked in the release notes for macOS 15b1 and iOS 18b1 saying: “• Profile-based User Enrollment is no longer supported in macOS 15. For User Enrollment, sign in with a Managed Apple Account in Settings.” If I'm reading this correctly, "UIE" or User Initiated Enrollment in Jamf parlance, will not be possible on macOS 15 and iOS18 going forward... But, there is ZERO mention of this in the video about what's new for Management, or what's new for IT document. I work in higher ed, and sadly, we get a lot of out of band purchases that aren't ADE eligible. And we've been told for years, and continue to be told, that Managed Apple ID's aren't appropriate for Higher Ed. So this is a big deal if this is being removed, and I find it disturbing it's being tucked away in release notes rather than being broadcast in every location. Heck, for small shops that don't have ASM or ABM, this means no MDM (they won't have managed Apple Accounts to enroll, they won't have ADE)? I happen to use a free Jamf Now system for home managing some personal home devices... I won't be able to do this with macOS 15/iOS 18?
5
0
1.6k
Jun ’24
App whitelist profile working on supervised iPhone, but not on paired Watch
Hello, I’ve run into an issue with a configuration profile on my supervised iPhone. I’m wondering if anyone here might be able to help? The profile contains the allowListedAppBundleIDs key within the restrictions payload. My Apple Watch is paired with the iPhone. The iPhone was supervised manually with Apple Configurator, hence the Apple Watch has not been directly supervised itself. The profile works completely as expected when installed on the phone. As soon as the profile is installed on the iPhone, I can witness the apps on the Apple Watch rearrange themselves as some apps are hidden. So clearly the profile is applying its restrictions to the Apple Watch to some degree. My issue however is that apps listed in the whitelist are hidden from the Watch. The apps that are missing from my Watch are Walkie Talkie, Find My Items, Find My Friends, Messages, Alarm, Remote, Now Playing, Sleep, Meditation and Heart Rate. This is despite the following bundle IDs being listed in the whitelist array: com.apple.findmy.findpeople, com.apple.findmy.finddevices, com.apple.HeartRate, com.apple.SessionTrackerApp, com.apple.NanoWorldClock, com.apple.findmy.finditems, com.apple.Mind, com.apple.NanoOxygenSaturation, com.apple.watchmemojieditor com.apple.NanoSleep com.apple.NanoNowPlaying com.apple.noise com.apple.tincan com.apple.NanoRemote com.apple.NanoAlarm com.apple.private.NanoTimer com.apple.NanoStopwatch I’ve done some testing, but not sure what I’ve found really. I’ve so far identified 3 scenarios. Scenario 1: I have the whitelist profile installed on the iPhone. I download an app that appears in the whitelist from my watch (or at least its iPhone version does). The apps show up on the iPhone automatically and can be launched there. These apps cannot be launched on the watch. Scenario 2: I downloaded a few apps to my watch, that didn’t automatically install on my iPhone at the same time. They were on the whitelist. These ones couldn’t be launched from my Watch. I then downloaded them to the iPhone and they could be launched there (since they were on the whitelist). Scenario 3: A couple of 3rd party apps on the whitelist could be downloaded and launched from the watch with the whitelist installed. It seems as though there are different kinds of Apple Watch app and this is what I’ve read elsewhere. First of all there are Watch-only apps, which do not automatically install a companion iPhone app. Secondly there are companion apps, which when installed from the Watch App Store download their companion app to the iPhone in the background. Someone please correct me - I’m bound to be overlooking something here. So maybe the apps that when installed from Watch automatically install on iPhone and can only be launched from the iPhone have a separate bundle ID for their Watch app which I haven’t included? Apps that are on the whitelist AND do not automatically install an iPhone app AND can be launched from the Watch, include: solstice What3words So maybe these do not need a companion app, but have the same Bundle ID as their iPhone app? However, I’m still not sure why many stock Apple Watch apps are missing from the Watch…. The most obvious answer is that I’ve got their Bundle IDs wrong, but I don’t think I have given I extracted the bundle IDs from the App Store pages of the Apple WatchOS apps. I noticed at this Apple Support page (https://support.apple.com/en-gb/guide/deployment/dep34c5cd30f/1/web/1.0) that there is no mention of whitelisting or blacklisting apps on WatchOS using MDM, yet something definitely happens on the watch when the configuration profile is installed on the iPhone. Furthermore, if I tap on a configuration profile, which comprises a blacklist, on my iPhone it will ask me if I want to install it on the iPhone or Watch. The same pop-up question doesn’t happen when the profile contains a whitelist. All this to say, I’m massively confused as to why I can’t get this working. I’d really appreciate anyone’s advice which is bound to be expert. Thank you
1
1
637
Jun ’24
Managed Wi-Fi Settings MDM Device Profile not working for MacOS Sonoma
Hi, I was trying to configure the Managed Wi-Fi Settings profile for a Mac device which is running on the Sonoma 14 OS. (https://developer.apple.com/documentation/devicemanagement/wifimanagedsettings?language=objc). I wanted to enable admin authorization for turning Wi-Fi on/off, and for switching between Wi-Fi networks. I followed the docs and tried these restrictions in lower macOS versions(Monterey, Mojave), and they are being enabled in the device-end. However for Sonoma devices, the restrictions are not being enabled(even though the profile is being pushed to the device). While looking around, I came across the fact that the airport cli utility was discontinued recently(https://www.intuitibits.com/2024/03/14/goodbye-airport/, doesn't allow me to hyperlink). So does that affect the working of the Managed Wi-Fi device profile in any way?
1
0
526
Jun ’24
Customising the dock & app library via HomeScreenLayout in iPad
In the case of organizational iPad devices, we need to have them in a more organized way via the homescreenlayout payload. We need to control the dock and the app library. We will be allowing certain apps on the device via allowListedAppBundleIDs, so we want to disable the recent apps in the dock and prevent apps from being duplicated in the app library, including recent apps and Siri suggestions. If there are more options to control the complete screen layout on the device, it would be helpful.
1
0
469
Jun ’24
Configuration Profile Encryption
I'm trying to figure out how to encrypt a configuration profile sent from an MDM. There is a certificate sent to the MDM during the call to get configuration, is this what I need to be using to encrypt? and does this certificate use the UID mentioned in the below quote? "The Secure Enclave includes a unique ID (UID) root cryptographic key. The UID is unique to each individual device and isn’t related to any other identifier on the device."
0
0
431
Jun ’24
System Preferences Profile not working in latest macOS (Ventura)
https://developer.apple.com/documentation/devicemanagement/systempreferences The Above documentation of "System Preferences" says deprecated. I assume that some of the panes are not working in latest OS due to this deprecation. My query is , Is there any other alternative to Disable or Enabled Preference Panes which was attained by SystemPreferences Payload. I couldn't find any. Is it entirely stopped and in latest OS's ,it wont allowed to restrict those panes?
1
0
623
Jun ’24
Single Sign-on Extensions, Safari, SafariViewService and Gating Access to Managed Apps
While it's clear that SSO Extensions can be limited to managed applications, it's not necessarily clear how to handle the scenario where a managed application is generating a SafariViewService web view to handle authentication of an account within that managed application. The SSO Extension sees SafariViewService as an unmanaged destination in User Enrolled devices, which means we can't warrant that it's coming from a managed app in the work APFS container. Is it possible to, in User Enrolled MDM Scenarios, understand where a Safari process came from (i.e., a Managed App) or a SafariViewService process came from, for the purposes of ascribing management status to the authorization request?
0
0
436
Jun ’24
Clear Activation Lock on Unmanaged Apple Business Manager Devices
Hi, We have our devices listed in Apple Business Manager but they are not enrolled in MDM. Some of the devices are locked in Activation Lock screen as employees logged in with their personal account . Since devices are company owned and already available in ABM is there any way to remove activation lock easily without providing proof of purchase to apple? In order to prevent devices getting into activation lock in future the only way is to Enroll the device in a MDM? Are there anyways to bypass activation lock if we are not using MDM
1
0
731
May ’24
App Managed Configuration in Declarative Management
Hello, We've been playing the app managed configuration with DDM recently and there is a few thing that we might be missing. We're trying to replace our existing feature of app installation using the Install Command with DDM. Everything seems to be working as expected but we're having an hard time understanding how to keep an app installed with the ManifestUrl (custom IPA) updated on the device as well as custom apps deployed through Custom Apps with ABM. We used to send new install command when a new version was released (either with manifest or custom apps) and this will trigger a new app install over the existing app keeping data and updating the app. We however, cannot figure how to do this with App Managed Configuration with DDM. If we replace the configuration declaration (and therefore changed the declaration Identifier), the app will be uninstalled and then reinstalled again (but not all the time). In that case app data is lost as this is a fresh install of the app. Is there a way to reinstall over an existing app an updated version of an app available through Manifest or with custom apps ? The same question would apply to any apps unless I'm mistaken, how do we force apps to be updated? Thanks for your help, Jeremy
2
0
628
May ’24
ACME Managed Device attestation - Unsupported URL error for certifcate URL in finalize Order step
I'm trying to implement managed device attestation, I have written server code in Go. So far, I have been able to implement all the steps except finalizing order by sending the Certificate url in the json response from where the client can download the certificate. ACME request flow failed at step 8: Error Domain=NSURLErrorDomain Code=-1002 "unsupported URL" UserInfo={NSLocalizedDescription=unsupported URL, NSErrorFailingURLStringKey=} For server, I am using localhost with https. The URL in "certificate" field of json response is working in browser/postman. I am not able to figure out what is the exact the cause of this error. As there is no FailingURLStringKey I suspect there might be some issue with key in the json response. Can anyone point me to the correct direction to figure out what is the issue?
1
0
576
May ’24
FileVaultPRK.dat is missing from /var/db directory
From MDM server, we push a DiskEncryption profile to enable FileVault and chosen Personal as the recovery type. Once the profile lands on the system, we execute the command fdesetup changerecovery which prompts the user to complete the authentication. Then a file named FileVaultPRK.dat is getting created in /var/db directory. Though the file presents in most of the devices after certain time, we noticed that the file FileVaultPRK.dat got removed in few devices. We would like to know on what basis the file would get deleted from the macOS device? (except removing the DiskEncryption profile.) Thank you in advance.
0
0
516
May ’24