In Declarative Device Management there is the Get Server Supported Declarations endpoint that is sent via an MDM Check-In request. Is this supposed to return all of the declarations supported by the server, or only the ones that are intended for the device making the request?
This seems like a bad choice of naming for that endpoint and, if my assumption is correct it should be named more along the lines of "Get Device Declarations"
Or am I fundamentally misunderstanding DDM and our server should be sending all declarations we have to the device and the device controls them via activations? This seems counter to the pitch around scalability and performance improvements that DDM offers if we have to send literally everything to the device even if it's known to not be needed, and similarly if the device doesn't support it but the server does then obviously(?) the server shouldn't send it to the device.
Device Management
RSS for tagAllow administrators to securely and remotely configure enrolled devices using Device Management.
Post
Replies
Boosts
Views
Activity
Can someone please explain the purpose of the ManagementServerCapabilities declaration in Declarative Device Management?
I understand based on the documentation that it contains a "dictionary that contains the server’s optional protocol features" but what would be an example of an "optional protocol feature"?
I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload.
Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload).
From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate.
I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number.
I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.
On WWDC 2023 Apple announced this: https://developer.apple.com/videos/play/wwdc2023/10040/?time=648
And as you can see and hear, they are saying: "In the past, entire System Preference panes were hidden to fulfill this requirement. With the introduction of System Settings, we were able to implement a granular management approach. Instead of hiding entire panes, the administrator can restrict modifications of a specific setting which now shows a label about its management state."
But where Apple Developer documentation can I find the payload for this? The only thing I was abble to find is https://developer.apple.com/documentation/devicemanagement/systempreferences which is DEPRECEATED for 13.0 macOS.
Hi everyone.
I've been trying to set up my Macs in Intune. One of the key requirements is to create a push certificate for my environment. I can get past the upload page on the Apple Push Certificate Portal. Once I click the upload button on the web page after choosing my CSR file, I get this the page on the CSR file "The page you’re looking for can’t be found". I get the same message every time I refresh or log back into the page doing these steps. I don't know what to do. Would anyone have any advice on this? Or is this solely an Apple problem? Just if it's of any relevance, I am in Australia.
I have a question. When the DDM status report is sent from a DDM device, normally an empty response is returned. However, if we return a non-empty response that includes an arbitrary string, the device sends us the declaration-items request. Is this behavior correct?
device| --status reort--------> |server
device| <------a non-empry----- |server
device| --declaration-items---> |server. Is this behavior correct?
Hi! Notice for the VPN of type "Always On", this site indicates a ApplicationExceptions key. But on the configuration manual it's not found. I'm trying to indicate a couple apps that should be able to bypass the always on vpn, but it doesn't seem to work. Any ideas? THanks
appears here:
https://developer.apple.com/documentation/devicemanagement/vpn/alwayson/applicationexceptionelement
not here:
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
I'm the IT Admin in my company. We use Microsoft Intune, which is a Mobile Device Management tool, to manage our devices and apps.
I created an app protection policy, restricting the data can only be shared between the allowed apps. For example, if our user want to copy the content in Outlook for iOS to WeChat or personal memo, the action will be blocked.
However, may be it's too strict, here is the scenario that we need to hadle:
A user selected the content in the Outlook for iOS mail, and wanted to use the "translate" function to do translation. Before the app protection policy was deployed, he can do the translation successfully. And now, it's blocked.
Therefore, we need to find a way to exempt the app "Translate" so that users can do the translation successfully.
We put the value "com.apple.Translate"(this is a package ID listed in the official document of Apple) to the exemption, but it's not working.
May I know what is the correct "value" for the iOS native Translate APP? I need to put this value to our app protection policy to exempt Translate app.
Thank you so much.
I am trying to find how to configure an application when using an AppManaged declaration. Using MDM, I would send the install command and include the settings in the 'Configuration' key of the command. I have checked the documentation and rewatched the 2023 WWDC video, but it is not mentioned at all.
AppManagedAttributesObject has specific configuration options and doesn't appear to cater for adhoc app specific configurations.
Anyone found a way to accomplish this? There are a number of apps (store and enterprise) that require this functionality in order to be configured remotely.
Please tell me two things about "Safari Password Autofill Domains" in my domain settings.
Incident
The behavior of the following items in the Domains setting differs between "no setting" and "edit and delete setting values".
Subject: Safari Password Autofill Domains
Steps to Reproduce(Delete the setting value)
enter any value in "Safari Password Autofill Domains" in the domain settings and save it.
Delete the value entered in step 1.
Distribute to the terminal.
Result
If no settings: A pop-up window will appear asking if the password is to be saved in all domains. The key "SafariPasswordAutoFillDomains" is not present in the configuration profile.
Edited to remove the value: The "Save Password AutoFillDomains" popup does not appear for all domains. The key "SafariPasswordAutoFillDomains" exists in the configuration profile and an empty array remains.
Question 1.
Is it expected that the behavior is different when "Safari Password Autofill Domains" is not configured and when the configuration value is edited and removed?
Question 2
Is it expected that "" remains in the configuration profile when the setting value is edited and deleted?
Hello,
I could not find information in the doc (which is still beta, I understand) : how are app upgrade handled by DDM AppManaged ?
With MDM, sending InstalledApplication command will upgrade the app to the most suitable recent version ; HasUpdateAvailable flag tells MDM server (more or less accurately) if there is an update and then Organizations can keep apps up to date as quickly as possible if needed.
But with DDM, we just have a declaration where we tell the device to install a given app, and that's it. Is there any detail about how the device upgrades apps, and how frequently ?
Thanks.
We have a few development servers that implement MDM and I am trying to incorporate WatchOS Enrollment. I am having trouble connecting to our enrollment URL that is defined in the watch enrollment payload. The error I get indicates that the server certificate is invalid. I can see this error if I attempt to pair to an iPhone that has the WatchOS enrollment declaration on it and I also see if I send an iMessage with our server url and attempt to open the url using the messages app on the watch itself.
The certificate is valid, but the SAN does not define my particular domain but rather it uses a wildcard (i.e. DNS Name: *.domain.com and DNS name: domain.com).
The url opens fine on any other Apple device (iPhone, iPad, Mac, etc) as well as windows.
My question is, is there some problem with using an SSL server certificate that has a wildcard in place of a specific domain when attempting to connect using WatchOS?
I have found that Declarative management, although intriguing and could be useful in the future, is quite lacking. At this point in development, I don't see an advantage over using MDM commands.
In order for a device to apply policies, the device must first post to a server to receive the manifest set, then for each item in the set, the device must post to the server to get the policy. How is that better than posting via MDM to obtain a policy (configuration profile, app, etc.)? It seems there is no benefit in terms of time complexity. In both scenarios the device would need to make O(n) posts. This doesn't solve the scalability issue with regards to the MDM channel.
The limitation with regards to available native declarations vs configuration profiles means declarative management is not yet ready for prime time. Although the first attempt at solving this through LegacyProfiles allows for installing ConfigurationProfiles, this method adds another POST, so at this point it's 1 post to get the manifest, then 2 mores posts to get the policy, which is even worse that MDM.
Regarding the status channel, the status report is missing quite a bit of device information. Currently, in order to obtain a more complete view of device state using MDM, the MDM server must send a set of commands to get information, installed profiles, apps, certificate, etc. The Status channel includes some of this stuff, but not all of it, which means a device must augment the status channel with some (or all) of these commands.
Hi, I'm looking into ACME Managed Deice Attestation and was wondering about one of the values in the payload - AllowAllAppsAccess.
From the documentation: "If true, all apps have access to the private key" but what is the case that you would have this set to true? seems like it opens up the device to potentially malicious software.
Also, if this were set to true, how would an app access this private key when it is stored in the Secure Enclave? is there a specific tag that it is stored with?
I'm trying to implement ACME managed device attestation, I have ACME server code written in C# and I've been able to get all of the steps working except for the very last one - issuing the certificate.
I so far have not been able to get the device to accept the certificate, the device logs show:
Got certificate {length = ......}
ACME request flow failed at step 9: Error Domain=NSOSStatusErrorDomain Code=-67673 "failed to obtain certificate" UserInfo={NSLocalizedDescription=failed to obtain certificate}
The certificate is issued by an internal CA and the correct root certificate is in the device's trusted certs.
I have tried returning the certificate chain as a file response or content response to the device as a "application/pem-certificate-chain" mime type (as outlined as the default in the ACME RFC), returning just the leaf certificate as PEM, returning the leaf certificate as DER with mime type "application/pkix-cert", "application/pkcs7-mime", "application/x-pkcs12" or "application/x-x509-ca-cert", but none of this has worked.
Can anyone point me in the right direction to figure out what the issue is?
The new profile added to manage the cellular private network is not getting installed on the device end - https://developer.apple.com/documentation/devicemanagement/cellularprivatenetwork?changes=_9
When we try to oinstall the profile we get these error messages.
{'Status': 'Error',
'CommandUUID': '556d4936-7514-4121-af8d-3f0bf855a9e6',
'ErrorChain': [
{'ErrorCode': 4001,
'ErrorDomain': 'MCInstallationErrorDomain',
'USEnglishDescription': 'Profile Installation Failed',
'LocalizedDescription': 'Profile Installation Failed'},
{'ErrorCode': 4001,
'ErrorDomain': 'MCInstallationErrorDomain',
'USEnglishDescription': 'Profile Failed to Install',
'LocalizedDescription': 'Profile Failed to Install'},
{'ErrorCode': 1009,
'ErrorDomain': 'MCProfileErrorDomain',
'USEnglishDescription': u'The profile \u201cprivate network policy\u201d could not be installed.',
'LocalizedDescription': u'The profile \u201cprivate network policy\u201d could not be installed.'},
{'ErrorCode': 4001, 'ErrorDomain': 'MCInstallationErrorDomain',
'USEnglishDescription': u'The payload \u201cPrivate Mobile Networks\u201d could not be installed.',
'LocalizedDescription': u'The payload \u201cPrivate Mobile Networks\u201d could not be installed.'}],
'UDID': '00008101-001E1DCA3A81001E'}
Is there a way to check if DDM(Declarative Device Management) is enabled on a device?
Hi all.
I'm trying to implement a Platform SSO extension for macOS and I'm freaking out. It's so complicated and with almost zero guidance documentation.
I established a starting point in my SSO extension and I get the registration request to my beginDeviceRegistrationUsingLoginManager (I managed all the AASA file, MDM stuff).
In this method I'm creating a ASAuthorizationProviderExtensionLoginConfiguration and I try to save it into the loginManager (ASAuthorizationProviderExtensionLoginManager which I get from the method) using saveLoginConfiguration.
It worked fine, and without changing anything I started getting the next error:
failed to save loginConfiguration: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000 "(null)" UserInfo={NSUnderlyingError=0x7ff77ff63b30 {Error Domain=com.apple.PlatformSSO Code=-1008 "Token endpoint URL is not approved profile URL." UserInfo={NSLocalizedDescription=Token endpoint URL is not approved profile URL.}}}
This is my configuration:
ASAuthorizationProviderExtensionLoginConfiguration *loginConfiguration = [[ASAuthorizationProviderExtensionLoginConfiguration alloc] initWithClientID:@"***" issuer:@"https://auth.platformsso.ping-eng.com/as" tokenEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/token"] jwksEndpointURL:[NSURL URLWithString:@"https://auth.platformsso.ping-eng.com/as/jwks"] audience:@"***"];
And this is where it breaks:
BOOL saveConf = [self.loginManager saveLoginConfiguration:loginConfiguration error:&confError];
Can someone help me with this error please?
Hello Apple Community,
Issue encountered during the installation of an app via DDM (Declarative Device Management) on iOS 17.3 devices.
When applying an app configuration and managed app list status event through declarative management, the configuration is successfully applied, but the configured app is not being installed on the device. Upon closer inspection, we have identified that the error "ManagedAppDistribution.ManagedAppDistributionError" is being logged during this process.
My Configuration:
{
"Type": "com.apple.configuration.app.managed",
"Identifier": "com.mdm.1740e623-4361-498d-af02-b433500d58bd.ManagedAppDDM",
"ServerToken": "1706282674113",
"Payload": {
"AppStoreID": "361309726",
"InstallBehavior": {
"License": {
"VPPType": "Device"
},
"Install": "Required"
}
}
}
{
"Type": "com.apple.configuration.management.status-subscriptions",
"Identifier": "com.mdm.9c70c80f-406a-425a-8829-1025652f05c6.ManagedAppListStatus",
"ServerToken": "1706282673976",
"Payload": {
"StatusItems": [
{
"Name": "app.managed.list"
},
{
"Name": "mdm.app"
},
{
...
}
]
}
}
DDM Response:
{
"StatusItems": {
"management": {
"declarations": {
"activations": [
{
"active": true,
"identifier": "DEFAULT_ACT_0",
"valid": "valid",
"server-token": "1706282674113"
}
],
"configurations": [
{
"active": true,
"identifier": "DEFAULT_STATUS_CONFIG_0",
"valid": "valid",
"server-token": "3"
},
{
"active": true,
"identifier": "com.mdm.1740e623-4361-498d-af02-b433500d58bd.ManagedAppDDM",
"valid": "valid",
"server-token": "1706282674113"
},
{
"active": true,
"identifier": "com.mdm.9c70c80f-406a-425a-8829-1025652f05c6.ManagedAppListStatus",
"valid": "valid",
"server-token": "1706282673976"
}
],
"assets": [],
"management": []
}
}
},
"Errors": [
{
"Reasons": [
{
"Code": "ManagedAppDistribution.ManagedAppDistributionError.0",
"Description": "The operation couldn’t be completed. (ManagedAppDistribution.ManagedAppDistributionError error 0.)"
}
],
"StatusItem": "app.managed.list"
}
]
}
Note : The ManagedAppDistribution framework extension appears to not be implemented in this context.
Kindly help us with this issue. Thanks in advance.
Please tell me about the NotNow status returned by the MDM command for Apple devices.
◾️I would like to check
I am aware that there are some MDM commands that return a status NotNow when the device is locked and the command cannot be executed.
I am aware of InstallProfileCommand and SecurityInfoCommand.
https://developer.apple.com/documentation/devicemanagement/installprofilecommand
https://developer.apple.com/documentation/devicemanagement/securityinfocommand
Please answer the following two questions.
◾️Question
I would appreciate an answer with the official name of the command and the URL of the command's reference, if possible.
Question 1
Please tell us if there are commands other than InstallProfileCommand and SecurityInfoCommand that return status NotNow because the command cannot be executed if the terminal is locked.
Question 2
Please tell us if any of the following commands return the status NotNow because the command cannot be executed if the terminal is locked.
DeviceConfiguredCommand
AvailableOSUpdatesCommand
ScheduleOSUpdateCommand
OSUpdateStatusCommand