I can enroll iOS and macOS devices with success when DEP is not used (OTA). With DEP, I can enroll iOS devices but not macOS devices. In this case, the process fails when the activation profile is received, because the system cannot decrypt the returned payload.
Note that I sign the payload using the server certificate (trusted as the anchored certs are defined accordingly) and I encrypt the payload using the device identity certificate. This identity certificate was obtained when the device reached the enrollment URL (used to sign the inbound payload).
From the console logs, it seems that the device cannot find the aforementioned certificate using the issuer and serial number, which is surprising because this should be the device identity certificate.
I currently use PKCS7 openssl 3 API. I am wondering if I should switch for the CMS functions since it provides a way to define the certificate using it's key identifier rather than the issuer and serial number.
I'm also wondering if certificates are missing in the chain. Any help would be greatly appreciated.
Explore the intersection of business and app development. Discuss topics like device management, education, and resources for aspiring app developers.
Post
Replies
Boosts
Views
Activity
Can someone please explain the purpose of the ManagementServerCapabilities declaration in Declarative Device Management?
I understand based on the documentation that it contains a "dictionary that contains the server’s optional protocol features" but what would be an example of an "optional protocol feature"?
In Declarative Device Management there is the Get Server Supported Declarations endpoint that is sent via an MDM Check-In request. Is this supposed to return all of the declarations supported by the server, or only the ones that are intended for the device making the request?
This seems like a bad choice of naming for that endpoint and, if my assumption is correct it should be named more along the lines of "Get Device Declarations"
Or am I fundamentally misunderstanding DDM and our server should be sending all declarations we have to the device and the device controls them via activations? This seems counter to the pitch around scalability and performance improvements that DDM offers if we have to send literally everything to the device even if it's known to not be needed, and similarly if the device doesn't support it but the server does then obviously(?) the server shouldn't send it to the device.
I've added my organization macbook air m2 2022 via apple configurator, however, the mac it not receiving the Remote Management prompt during setup. I've confirmed that the device in ABM is pointing to the connect server.
Any ideas?
I’ like to develop an online marketplace and service provider iOS app similar to the amazon for my startup company.
I need standard functions like email registration, user profile, listings etc. And special functions like: location tracking, map, booking system, embedded messenger for the host and customers, internet surveillance camera and rating system, payment system.
I have two questions:
How much does it cost?
Is it possible to develop it by myself and how long?(no programming background)
Regards
Sam
[Edited by Moderator]
From MDM server, we push a DiskEncryption profile to enable FileVault and chosen Personal as the recovery type. Once the profile lands on the system, we execute the command fdesetup changerecovery which prompts the user to complete the authentication. Then a file named FileVaultPRK.dat is getting created in /var/db directory. Though the file presents in most of the devices after certain time, we noticed that the file FileVaultPRK.dat got removed in few devices.
We would like to know on what basis the file would get deleted from the macOS device? (except removing the DiskEncryption profile.)
Thank you in advance.
I'm trying to implement managed device attestation, I have written server code in Go. So far, I have been able to implement all the steps except finalizing order by sending the Certificate url in the json response from where the client can download the certificate.
ACME request flow failed at step 8: Error Domain=NSURLErrorDomain Code=-1002 "unsupported URL" UserInfo={NSLocalizedDescription=unsupported URL, NSErrorFailingURLStringKey=}
For server, I am using localhost with https. The URL in "certificate" field of json response is working in browser/postman. I am not able to figure out what is the exact the cause of this error. As there is no FailingURLStringKey I suspect there might be some issue with key in the json response.
Can anyone point me to the correct direction to figure out what is the issue?
Hello,
We've been playing the app managed configuration with DDM recently and there is a few thing that we might be missing.
We're trying to replace our existing feature of app installation using the Install Command with DDM. Everything seems to be working as expected but we're having an hard time understanding how to keep an app installed with the ManifestUrl (custom IPA) updated on the device as well as custom apps deployed through Custom Apps with ABM.
We used to send new install command when a new version was released (either with manifest or custom apps) and this will trigger a new app install over the existing app keeping data and updating the app.
We however, cannot figure how to do this with App Managed Configuration with DDM. If we replace the configuration declaration (and therefore changed the declaration Identifier), the app will be uninstalled and then reinstalled again (but not all the time). In that case app data is lost as this is a fresh install of the app.
Is there a way to reinstall over an existing app an updated version of an app available through Manifest or with custom apps ?
The same question would apply to any apps unless I'm mistaken, how do we force apps to be updated?
Thanks for your help,
Jeremy
Hi,
We have our devices listed in Apple Business Manager but they are not enrolled in MDM. Some of the devices are locked in Activation Lock screen as employees logged in with their personal account .
Since devices are company owned and already available in ABM is there any way to remove activation lock easily without providing proof of purchase to apple?
In order to prevent devices getting into activation lock in future the only way is to Enroll the device in a MDM?
Are there anyways to bypass activation lock if we are not using MDM
While it's clear that SSO Extensions can be limited to managed applications, it's not necessarily clear how to handle the scenario where a managed application is generating a SafariViewService web view to handle authentication of an account within that managed application. The SSO Extension sees SafariViewService as an unmanaged destination in User Enrolled devices, which means we can't warrant that it's coming from a managed app in the work APFS container.
Is it possible to, in User Enrolled MDM Scenarios, understand where a Safari process came from (i.e., a Managed App) or a SafariViewService process came from, for the purposes of ascribing management status to the authorization request?
https://developer.apple.com/documentation/devicemanagement/systempreferences
The Above documentation of "System Preferences" says deprecated. I assume that some of the panes are not working in latest OS due to this deprecation.
My query is , Is there any other alternative to Disable or Enabled Preference Panes which was attained by SystemPreferences Payload.
I couldn't find any. Is it entirely stopped and in latest OS's ,it wont allowed to restrict those panes?
I'm trying to figure out how to encrypt the Configuration profile sent to an iPhone, but can only find references to "use CMS" but nothing about what key/certificate I should be using to encrypt...
Can anyone point me in the right direction?
I'm trying to figure out how to encrypt a configuration profile sent from an MDM.
There is a certificate sent to the MDM during the call to get configuration, is this what I need to be using to encrypt?
and does this certificate use the UID mentioned in the below quote?
"The Secure Enclave includes a unique ID (UID) root cryptographic key. The UID is unique to
each individual device and isn’t related to any other identifier on the device."
Hello there!
I'd like to know if it is possible to use Apple Business Manager API to create an automation for user creation, please.
Thanks in advance.
The same problem encountered with iOS 17 beta 1 and beta 2 is back:
Unable to create a secure connection to the server ("bad certificate format" -9,808).
I am a spatial computing / XR and Human-Computer Interaction researcher from a private university. I am interested in using the vision pro's newly-exposed camera access to develop and evaluate new algorithms for computational perception. ( WWDC session here: https://developer.apple.com/wwdc24/10139 )
I understand this is targeted at large enterprises, but I would like to know if by some means as a researcher affiliated with an educational institution I could develop private for-development-only applications for the vision pro with the enterprise APIs enabled. The intent is not to publish apps, but rather to contribute to the research community through R&D.
However, to my knowledge, I would be ineligible as a normal "business" as I do not employee 100+ employees. I am an independent researcher, and on occasion, I collaborate within small research groups within my university that focus on this kind of camera-based perception algorithm development.
Could someone from Apple comment?
Thank you.
In the case of organizational iPad devices, we need to have them in a more organized way via the homescreenlayout payload. We need to control the dock and the app library. We will be allowing certain apps on the device via allowListedAppBundleIDs, so we want to disable the recent apps in the dock and prevent apps from being duplicated in the app library, including recent apps and Siri suggestions. If there are more options to control the complete screen layout on the device, it would be helpful.
I have a service that can be accessed via browser extensions on Chrome and Firefox. I've had a request for Safari.
Setting up an account is done via a regular browser app, the browser extensions are free but an account with API keys to use it are by subscription.
My question is I assume Apple wants it share, is this correct?
The Safari browser extension requires and API key that is managed via our site. There is a subscription to use the service across different browsers and this is handled by our site NOT the extension. There would be a link to the admin site in the extension
When I trusted my certificate in 'Setting'->'VPN & Device Management', my device reboot automatically.
After reboot, it showed that "developer of My Team is not trusted in this iPhone", but the app is "verified" in the second column.
The UI looks like:
iOS18 beta:
First Col: Trust "My Team"
Second Col: MyApp Verified
Other versions:
First Col: Delete App
Second Col: MyApp Verified
What's more, my app has plugins(extensions), my app can run normally while the extension is not able to be pulled up on iOS18 beta.
Hi, we have Universal Links configured, but it only works with public URLs. In our environment we need to use managed mode - we don't have a public domain. We have found out, that we need to set AssociatedDomainsEnableDirectDownloads key in Intune. However we are struggling with the right plist format. Has anyone have it configured correctly?