iPads managed by Apple Business Manager and an MDM tool (Microsoft Intune) are distributed to employees for use.
An employee forgot his iPad passcode and entered the wrong passcode too many times, resulting in his iPad being locked.
Since they are also disconnected from networks such as WiFi, passcode removal and wiping from MDM tools are not effective.
Is there anything else I can do other than put my iPad into recovery mode and initialize it?
Best regards.
Explore the intersection of business and app development. Discuss topics like device management, education, and resources for aspiring app developers.
Post
Replies
Boosts
Views
Activity
I have been running ABM to synchronize devices for some time now, but in recent days, when using the interface for synchronization, the response from the interface to the device's' Device-Assigned-by 'field has changed. The official website should return' The email of the person who assigned the device. 'However, what I received was a string of numbers, such as 275xxxxx, which corresponds to the ABM user's ID. Some devices may change the field to email again when synchronizing, but unfortunately some devices will always have these numbers. How can I recover the email?
I have been running ABM to synchronize devices for some time now, but in recent days, when using interface synchronization, the device's "assembly_assigned-by" field responded by the interface has changed. The official website should return "The email of the person who assigned the device." However, what I received was a string of numbers, such as 275xxxxxxxx. Some devices may change the field to email again when synchronizing, but unfortunately some devices will always have these numbers. How can I recover the email?
https://mdmenrollment.apple.com/server/devices
https://mdmenrollment.apple.com/devices/sync
We want to set key-value pair (installation_token: xxxxx) into an app installed by MDM.
Formerly we could set the key-value using Settings MDM command like this.
<dict>
<key>Command</key>
<dict>
<key>RequestType</key>
<string>Settings</string>
<key>Settings</key>
<array>
<dict>
<key>Configuration</key>
<dict>
<key>installation_token</key>
<string>xxxxxxx</string>
</dict>
<key>Identifier</key>
<string>com.cloudflare.cloudflareoneagent</string>
<key>Item</key>
<string>ApplicationConfiguration</string>
</dict>
</array>
</dict>
We can still use this for the apps installed withInstallApplication MDM command, however we cannot apply this configuration into the app using Declarative Device Management. When we try it, we got an error like this.
<dict>
<key>CommandUUID</key>
<string>.............</string>
<key>Settings</key>
<array>
<dict>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12008</integer>
<key>ErrorDomain</key>
<string>MDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>Could not modify apps managed by Declarative Device Management.</string>
<key>USEnglishDescription</key>
<string>Could not modify apps managed by Declarative Device Management.</string>
</dict>
</array>
<key>Identifier</key>
<string>com.cloudflare.cloudflareoneagent</string>
<key>Item</key>
<string>ApplicationConfiguration</string>
<key>Status</key>
<string>Error</string>
</dict>
</array>
How can we work with managed application configuration with DDM?
When syncing newly added or modified devices in the Apple Business Manager (ABM) portal using the POST request to https://mdmenrollment.apple.com/devices/sync, we are getting an issue when the ABM server account has more than 1000 devices. The response consistently includes 1000 devices, with the ‘more_to_follow’ flag always set to true and the ‘cursor’ value changing. However, subsequent ABM syncs for other devices result in duplicate devices being included in the response, and the ‘more_to_follow’ flag never becomes false. As more_to_follow is always true, we try to hit api continuously.
Please refer this for sync API details which is causing issue: https://developer.apple.com/documentation/devicemanagement/sync_the_list_of_devices
This issue appears to originate from the Apple ABM side. Any help would be of great use. Thanks in advance.
Hello, has anyone been able to update/restore devices to the iOS 18 beta with Apple Configurator?
I receive the error :
Failed to create new state machine for restore [com.apple.MobileDevice.MobileRestore – 0xFB1 (4017)]
The devices are stuck in recovery mode and I've done hard resets along with other steps like different cables, host reboot, etc. I've also tried to restore to iOS Release but I'm met with the same error.
Can we get more information about the state of profile-driven user enrollment in iOS 18?
The only official statement seems to be this post here on the forums and nothing more.
1 Year deprecation and removal during the beta cycle is usually not the way Apple does this stuff - UIWebView was deprecated for 6 years.
Nothing in the wording during the WWDC Session indicates this is going to be removed in iOS 18, and none of the documentations we could find mentions profile-driven user enrollment is being removed this year.
Could we please get an official answer stating that yes, this is being removed, and that it's not just a bug in the Beta cycle?
I implemented parents to manage their children's apps with FamilyActivityPicker.
Then, is there way to get child’s app list without FamilyActivityPicker?
I recall years ago that autoconfigure for email accounts worked in iOS Mail/macOS Mail.app when MacOS X Server was a thing. The protocol is supported by Outlook and Thunderbird and some other apps as well. Using WireShark, I can see there's some network activity from Mail.app when trying to get to the second step of adding a new email account. The most documentation I've been able to find online is making a mobileconfig file which works but is cumbersome in comparison to how it works with Outlook and Thunderbird. If there's any kind of documentation on autoconfigure for macOS/iOS, I'd like to see it so I can help with Virtualmin development team fix their implementation of autoconfigure/autodiscover to properly work with iOS/macOS.
Help anyone?
Hi Team,
We are planning to automate ABM export. We dont want to download export which contains device inventory for example, S/N, IMEI, Reseller ID, etc.
Is there any way to automate it or has Apple made their APIs available?
Any help would be appreciated.
Regards!
Dear Mr. Cook,
I am writing to you today to urge you to take action to save the Apple Vision PRO and turn it into a revolutionary flight simulator. I believe that the Vision PRO has the potential to completely transform the world of flight simulation, but it needs your support to reach its full potential.
Unleashing the Vision PRO's Potential: A Game-Changer in Flight Simulation
The Vision PRO is a unique and powerful device that holds immense promise for delivering an unparalleled level of immersion and realism in flight simulation. However, current sales figures indicate that it is not yet reaching its full potential. I believe this can be attributed to several factors, including:
Limited Marketing and Promotion: The Vision PRO has not been effectively marketed to its target audience, comprising pilots, flight schools, aviation enthusiasts, and gamers.
Lack of Dedicated Flight Simulation Software: Currently, there is a scarcity of high-quality flight simulation software specifically designed for the Vision PRO.
Absence of Strategic Partnerships: Apple has not formed partnerships with major aviation or flight simulation companies to promote and develop the Vision PRO.
Transforming the Vision PRO into a Flight Simulation Powerhouse
I am confident that by addressing these issues, Apple can transform the Vision PRO into a resounding success. Here are some specific recommendations:
Invest in a Comprehensive Marketing Campaign: Apple should target its marketing efforts towards pilots, flight schools, aviation enthusiasts, highlighting the Vision PRO's unique capabilities.
Partner with Leading Flight Simulation Software Developers: Apple should collaborate with developers to create top-notch flight simulation software tailored specifically for the Vision PRO, maximizing its potential.
Forge Strategic Partnerships with Industry Leaders: Apple should partner with major aviation and flight simulation companies to promote and develop the Vision PRO, leveraging their expertise and reach.
A Call to Action: Unleashing the Vision PRO's Revolutionary Potential
I am convinced that by implementing these steps, the Vision PRO can become the premier flight simulator on the market, revolutionizing the way people train to become pilots, hone their skills, and simply enjoy the thrill of flight.
I urge you to give this matter your serious consideration. The Vision PRO is a truly exceptional product that has the potential to make a real difference in the world. With your support, it can reach its full potential and become a groundbreaking product.
Thank you for your time and consideration.
Sincerely,
Pascal
just upgraded my local iPhone 15 to iOS 18 Beta 3, and I enrolled the device to MDM server.
Then ran EraseDevice command with ReturnToService as enabled. https://developer.apple.com/documentation/devicemanagement/erasedevicecommand/command/returntoservice
MDM command request body:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>DisallowProximitySetup</key>
<false/>
<key>PreserveDataPlan</key>
<true/>
<key>RequestType</key>
<string>EraseDevice</string>
<key>ReturnToService</key>
<dict>
<key>Enabled</key>
<true/>
<key>WiFiProfileData</key>
<data>WiFi Profile Base64</data>
<key>MDMProfileData</key>
<data>MDM Profile Base64</data>
</dict>
</dict>
<key>CommandUUID</key>
<string>0001_EraseDevice</string>
</dict>
</plist>
MDM executed the command successfully.
The device erased itself, and opened Hello Screen after few secs, but device did not went to the Home Screen, however same works fine on iOS 17.
We need to do some operations in a login screen, but when the user uses a WPA2-Enterprise network, the authentication to this network is only possible after the login process has already been completed.
Is there a way to change the network on login screen or a way to authenticate on the WPA2-Enterprise network before a completed login?
STEPS TO REPRODUCE
1 - Use a WPA2-Enterprise
2 - Set WPA2-Enterprise as Auto-Join/Principal
3 - Reboot the Machine
4 - On the logon screen it's impossible to authenticate on the enterprise network even then type the username and password.
There is new porperty introduced in iOS 18 Beta for VPN i.e CellularSliceUUID
But there is no description available for the same. Could you please let us know how this property can impact VPN?
https://developer.apple.com/documentation/devicemanagement/vpn?changes=latest_major&language=objc
I am having two issues with an IKEv2 VPN profile and certificates, and I am using Apple Configurator to create the profile. We have a self-signed CA that consists of an intermediate/root chain. The first issue is that when I load the intermediate and/or root into the Certificates section, then, in the VPN section, select Certificate for Machine Authentication, the VPN doesn't connect, and from Console, we get the error "Trust evaluate failure: [leaf MissingIntermediate]." If I load the server cert, the profile connects. I am lost as to why this works, I would assume we would need only the intermediate and/or root.
Second issue I am running into, is that when I put the Intermediate CA name into "Server Certificate Issuer Common Name" the VPN does not connect at all. With the server cert or not.
If I can provide any more information at all, please let me know. With this being a public forum, I didn't want to include much from my organization but can send it privately. Thank you in advance for any assistance.
Screenshot of the console error is attached
When making a GET request to the ABM Account API at https://mdmenrollment.apple.com/account, we receive a response that includes an org_email field. However, we’ve noticed that the value of org_email varies. Sometimes it corresponds to an account with the role of Administrator, while other times it comes from account with roles Device Enrolment Manager, Content Manager and People Manager.
We seek clarification on the following points:
Which roles determine the org_email sent in the response?
Is the org_email coming in API response always same or does it change when we hit the APIs in multiple times.
org_email in this response:
https://developer.apple.com/documentation/devicemanagement/accountdetail
Enrol Supervised iOS device.
Push an CardDAV policy for the above device, the contacts gets synced in the native Contacts app as expected. (https://developer.apple.com/documentation/devicemanagement/carddav)
When the above same profile is re-installed in the above device, the synced contacts are lost and password prompt is shown to enter the password - even though the installed profile contains password for the CardDAV policy.
Password prompt from the device
Re-Installed configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>35ee541b-fec0-46b0-bd48-bcc0702ab60b</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>com.mdm.ec89620f-2905-4c14-b09d-7e9f17944468.CardDAV</string>
<key>PayloadDisplayName</key>
<string>CardDAV</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadUUID</key>
<string>07c423b5-8ae2-4e6e-9336-aa9ca850d6c9</string>
<key>PayloadType</key>
<string>com.apple.carddav.account</string>
<key>PayloadOrganization</key>
<string>MDM</string>
<key>PayloadIdentifier</key>
<string>07cV423b5-8ae2-4e6e-9336-aa9ca850d6c9</string>
<key>PayloadDisplayName</key>
<string>CardDAV Policy</string>
<key>CardDAVAccountDescription</key>
<string>****</string>
<key>CardDAVHostName</key>
<string>www.googleapis.com</string>
<key>CardDAVPassword</key>
<string>****</string>
<key>CardDAVPort</key>
<integer>443</integer>
<key>CardDAVPrincipalURL</key>
<string></string>
<key>CardDAVUseSSL</key>
<true/>
<key>CardDAVUsername</key>
<string>****</string>
</dict>
</array>
</dict>
</plist>
Feedback ID : FB14250521
Enrol Supervised iOS device
Turn ON screen time restriction by opening Settings app -> Content & Privacy restrictions -> Passcode & Face ID -> Don’t Allow.
Now install a Passcode policy profile via MDM with the key “forcePIN” set to “true”, such that the device is needed to change the passcode in device.
By following above steps, the profile fails.
The failure response from the device states that passcode restriction is applied in the device, “The profile ‘Profilename’ may require a passcode change but the passcode cannot be modified.”
This is an incorrect behaviour as MDM should have more control over the screen-time restriction as well.
Error response from the device
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>InstallProfile</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>4001</integer>
<key>ErrorDomain</key>
<string>MCInstallationErrorDomain</string>
<key>LocalizedDescription</key>
<string>Profile Installation Failed</string>
<key>USEnglishDescription</key>
<string>Profile Installation Failed</string>
</dict>
<dict>
<key>ErrorCode</key>
<integer>4026</integer>
<key>ErrorDomain</key>
<string>MCInstallationErrorDomain</string>
<key>LocalizedDescription</key>
<string>The profile **** may require a passcode change but the passcode cannot be modified.</string>
<key>USEnglishDescription</key>
<string>The profile **** may require a passcode change but the passcode cannot be modified.</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>****</string>
</dict>
</plist>
Feedback ID : FB14249704
I'm having an issue on ad-hoc OTA installation. I get my app archive via distribution (being automatically signed) with manifest.plist for OTA and upload it to dropbox account.
However itms-service's action=download-manifest does not work for me with the dropbox URLs. I get the download link and add it to the manifest.plist. And then goes the link to download the manifest itself:
itms-services://?action=download-manifest&url=https://www.dropbox.com/scl/fi/rzzlmbgx0duvd5gjb84uf/ManifestName.plist?rlkey=9j96n42qq8t1vwhcf3e7gxj8c&st=2hbhkidc&dl=1
I put the link on another web-site but it's not working. Nothing happens by pushing an install button with redirection link inside. And if I just copy the link and paste it in new page URL Safari asks me if I want to open it via iTunes and then still goes nothing.
I'm not sure this is an issue either on apple and my app or dropbox with their links generation. Like a year ago it worked with the old link-generation. There was not rlkey parameter and the link ended with .../manifest.plist.
Please suggest me if I miss something and maybe should re-check some options on my app or distribution or something. Or I should ask for dropbox's support help
We are configuring a passcode policy through MDM where the password expiration is set to 2 months for local accounts (not domain joined). Occasionally, we receive prompts to change the password a few days before it expires. Please refer to the image below.
We would like to clarify the following:
What is the default timing for these reminders? Specifically, how many days before the password expiration do these prompts typically start appearing?
Can we adjust the number of days before these reminders appear?
If yes, can this adjustment be made through MDM settings or via a script?