Hi Community, The Leverage macOS has with Bootstrap token is immense using the same for Software Updates, Erase Device and new Local Account Creation in System Settings While I refer From IT Deployment Guide Which States the below For a Mac with macOS 10.15.4 or later, when a secure token-enabled user logs in for the first time, macOS generates a bootstrap token and escrows it to a device management service. I even tested out the Statement using Automated Device Enrollment Workflow ( With AutoAdmin Account Only, With Both AutoAdmin Account , Primary Account ) and it Granted BootStrap Token Immediately upon login How ever with User-Initiated Enrollments it differs like below Sometimes upon installation of MDM Profile in macOS Immediately the BootstrapToken is sent to MDM Sometimes the BootStrapToken is not immediately sent, so I need to logout , login with the Secure Token enabled user for macOS to escrow BootStrapToken to MDM Sometimes Even when I followed the pointer as in 2) like logout / login from a SecureToken Enabled user the BootStrapToken is not escrowed to MDM , Which Affects the OSUpdates, Erasing Capabilities to be used precisely with MDM Protocol Can someone Please Help with the Flow for BootStrapToken Generation / issuance to MDM incase for User-Initiated Enrollment

Hello, according to reports from our users these two ManagedSettingsStore options seem to be stuck in the enabled state even after turning them off or removing screen time permissions and uninstalling the app that configured them. Is this possible? Has anyone seen it? The denyAppRemoval (https://developer.apple.com/documentation/managedsettings/applicationsettings/denyappremoval-swift.property) prevents the user from uninstalling any apps from their device when active. The denyAppInstallation (https://developer.apple.com/documentation/managedsettings/applicationsettings/denyappinstallation-swift.property) "hides" App Store, making it impossible to install any new apps. We haven't been able to replicate it yet. Does anyone know about workarounds when this happens? So far it seems like the only way is to reset the affected device.

We are developing an MDM (Mobile Device Management) solution for device management purposes, and our current implementation process is as follows: 1. Configure DEP profile to obtain profile_uuid We configured a DEP profile with the following parameters to retrieve the profile_uuid: { "allow_pairing": true, "anchor_certs": [], "auto_advance_setup": true, "await_device_configured": false, "configuration_web_url": "", "department": "test define profile", "devices": ["MNWF07QD9M"], "is_mandatory": false, "is_mdm_removable": false, "is_multi_user": false, "is_supervised": true, "language": "zh", "org_magic": "", "profile_name": "Enrollment Profile - MNWF07QD9M", "region": "cn", "skip_setup_items": [ "Accessibility", "ActionButton", "Android", "Appearance", "AppleID", "AppStore", "Biometric", "CameraButton", "DeviceToDeviceMigration", "Diagnostics", "EnableLockdownMode", "FileVault", "iCloudDiagnostics", "iCloudStorage", "iMessageAndFaceTime", "Intelligence", "Keyboard", "MessagingActivationUsingPhoneNumber", "Passcode", "Payment", "Privacy", "Restore", "RestoreCompleted", "Safety", "ScreenTime", "SIMSetup", "Siri", "SoftwareUpdate", "SpokenLanguage", "UpdateCompleted", "WatchMigration", "WebContentFiltering" ], "supervising_host_certs": [], "support_email_address": "", "support_phone_number": "", "url": "https://mdmp.com/mdm/apple/enroll?shopId=1" } We sent a POST request to the /profile endpoint with the above payload, and the response returned the profile_uuid: 605FB5C274303C19189C9B99DCD3280D. 2. Assign the profile We sent a POST request to the /profile/devices endpoint, including the aforementioned profile_uuid and the target devices list in the request body. 3. Scan the device with Apple Configurator 2 We used Apple Configurator 2 to scan and enroll the target device. Issue Encountered After the device restarts twice, it fails to retrieve the mobileconfig file from the URL: https://mdmp.com/mdm/apple/enroll. We are using Nginx as the web server and have enabled access logging, but the logs show no incoming requests from the device to the /mdm/apple/enroll endpoint at all. Could you please help identify where we might have made a mistake in this process?

It seems like every time an IOS update is installed, the camera app file formats get reset to defaults. This setting is not available to manage at the MDM level. Many people need the the most compatible settings for the purpose of file sharing. So, now we have nearly 1,000 devices with a complete mix of photo and video formats. And IT has wasted MANY hours converting files for people. Feature Request: Please either stop resetting the camera app file formats or allow us to manage those settings at the MDM level. Respectfully, Robert

We are moving to Apple Business Store for our b2b customers. On the "residential" apple store side there is testflight. What process would one test an app we provide to a b2b customer when using apple business store publishing? (I don't see any sort of test flight for apple business)

Hello everyone, I am looking for technical clarification regarding potential rate limits when automating frequent iOS device resets. In my workflow, I need to reset test devices multiple times per day using the EraseDevice MDM command, often combined with the ReturnToService flag for automated setup. I understand that after a full reset, the device undertakes several critical steps to become operational again, including device activation, system app installation, MDM re-enrollment, and subsequent validation of developer certificates for internally distributed apps. Based on Apple’s documentation and my own observations, I am aware of the following domains being involved in these processes: Device Activation: albert.apple.com, gs.apple.com, captive.apple.com, humb.apple.com, static.ips.apple.com, sq-device.apple.com, tbsc.apple.com, time*.apple.com System App Installation: *.itunes.apple.com, *.apps.apple.com, *.mzstatic.com MDM Enrollment: Communication with Apple ADE servers followed by the MDM server. Developer Certificate Validation: ppq.apple.com, ocsp.apple.com, crl.apple.com My primary question is: Are there any rate limits imposed by Apple’s servers on these specific processes when performed frequently on the exact same device within a short timeframe (e.g., multiple times per day)? Specifically, could anyone provide information regarding potential limits for: Device activation requests? System app downloads post-activation? Automated Device Enrollment checks and subsequent MDM enrollments? Developer certificate validation requests? Additionally, is the list of domains above comprehensive for these processes, or are there other key endpoints involved that I should be aware of regarding potential rate limiting? Understanding these limitations is crucial for ensuring the reliability of automated device management workflows. Thank you for any insights!

I've been running the betas fine for a while, now, where do you want to go??

Background / Objective We are currently developing a solution to centrally manage Apple OS updates (major and minor) across managed macOS devices. Before implementing at scale, we need Apple’s guidance on supported and future-proof update mechanisms under MDM. Questions / Ask (Apple Guidance Requested) Apple recommended method What is Apple’s recommended approach to perform: Minor updates (e.g., macOS X.Y → X.Z) Major upgrades (e.g., Ventura → Sonoma) in an enterprise fleet? Support boundary Is macOS update management only supported via MDM (including any newer declarative workflows), or are local mechanisms (installer + command-line tooling) also considered supported for enterprise automation? Use of startosinstall Can we leverage the existing utility: /Applications/Install macOS .app/Contents/Resources/startosinstall for automated upgrades in enterprise environments? If yes, are there recommended flags/workflows Apple endorses for unattended or minimally interactive upgrades? Long-term support / stability Does startosinstall have any form of long-term support / stability guarantees across future macOS releases? Are there any known deprecations planned (or guidance that customers should transition to MDM/DDM workflows)? MDM interaction / interference When using startosinstall, can MDM policies (software update deferrals/restrictions, update enforcement, etc.) interfere with or block the upgrade? If interference is expected, what is the correct supported way to coordinate: MDM software update settings local startosinstall execution to avoid failures and ensure compliance? What We Need From Apple (Desired Outcome) A clear statement of recommended and supported update workflow(s) for enterprise managed macOS: for minor updates for major upgrades Guidance on whether startosinstall is acceptable for long-term automation, or whether we should only use MDM/DDM-driven workflows. Any best practices or reference documentation Apple recommends for implementing this safely and reliably.

We are upgrading macOS (minor versions and potentially major versions) using a scripted approach: Install the InstallAssistant package via installer Trigger OS install via startosinstall On MDM-managed assets, OS update policies appear to prohibit or interfere with the update flow. The update often fails with startosinstall reporting “Helper tool crashed…” during the “Preparing” phase. Steps to Reproduce On an MDM-enrolled Mac with OS update restriction/deferral policies applied, run: sudo /usr/sbin/installer -pkg /Path/To/InstallAssistant.pkg -target / && echo 'MACOS_PASSWORD' | /Applications/Install\ macOS\ Sonoma.app/Contents/Resources/startosinstall --agreetolicense --forcequitapps --stdinpass --user MACOS_USER Actual Result Package installation reports success, but startosinstall fails during preparation with: Standard Output installer: Package name is macOS15.7_SoftwareUpdate installer: Upgrading at base path / installer: The upgrade was successful. By using the agreetolicense option, you are agreeing that you have run this tool with the license only option and have read and agreed to the terms. If you do not agree, press CTRL-C and cancel this process immediately. Preparing to run macOS Installer... Preparing: 0.0% Preparing: 0.1% ... Preparing: 24.9% Standard Error Helper tool crashed... notes.log Install.log is also attached. Questions for Apple / Ask: We suspect this crash is caused by MDM OS update restrictions/policies. We need Apple’s recommended method to perform macOS updates (minor + major) when MDM is present, especially in environments where update deferrals/restrictions may be configured.

Hi, I’m testing the ClearPasscode MDM command: https://developer.apple.com/documentation/devicemanagement/clear-passcode-command Question: If a user enters the passcode incorrectly multiple times and the device becomes temporarily locked (e.g., “Try again in X minutes”) or reaches “Security Lockout”, can ClearPasscode still be executed successfully while the device is in that state? {'ErrorCode': 5013, 35708 'ErrorDomain': 'MCPasscodeErrorDomain', 35709 'LocalizedDescription': '\xe3\x81\x93...x89', 35710 'USEnglishDescription': 'The passcode cannot be cleared (-1)'} If it depends on conditions (e.g., supervised vs. user enrollment, availability of UnlockToken, network/check-in state), could you clarify which conditions are required? Thank you.

Hello, I am trying to authenticate to the Apple Business Manager API to retrieve device information and ingest it into ServiceNow. I am following the documentation here. The first step is to create an API account and download the private key used to create a JWT client assertion. The guide linked above gives a python script to create a client assertion. Below the first python script, the following description is given for the "kid" variable: "The value is your keyId that returns when you upload a public key." This is the first time that a public key, rather than a private key, is referenced. Where is the public key supposed to be uploaded? Later in the guide, a public key is referenced again, in the section describing the client_id Request parameter: "(Required) You receive your clientId when you upload a public key." I have tried to create a client assertion using the keyId that is associated with the API account. When I try to request an access token, however, I also get an "invalid_client" error back. I am wondering if I'm using the wrong values for both key_id and client_id due to not creating and uploading a public key. Any help would be appreciated, thanks!

I am trying to correctly manage about 20 Mac, iPhones and PC inside a Wi-Fi network built through System Settings > Sharing > Internet Sharing To achieve this task I defined a complete configuration file: /etc/bootpd.plist which is used by /usr/libexec/InternetSharing. But every time /usr/libexec/InternetSharing is starting the file /etc/bootpd.plist is overwritten by another file and my configuration is thus fully lost. How to set a correct /etc/bootps.plist file and avoid its total overwrite by /usr/libexec/InternetSharing? Is it necessary to write this bootpd.plist in some other directory for /usr/libexec/InternetSharing to load it without destroying it? I got the same configuration total erase on macOS Big Sur and Sequoia.

Hello All, I come to ask a question that I haven't been able to find the docs. I continue to work on implementing declarative management and while working there is a question/concern I have. I have noticed that during some destructive testing, if the device is attempting to fetch a configuration and the server responds with a 503 (or any server related error) then the device will wipe all configurations and attempt to reapply them. Is there any way to prevent this by intercepting status codes or would the only real solution be to force down a temp/test config if the real config can't be fetched from the server?

Hi, I might be a bit late to the party, but Apple has added several SkipKeys such as: TapToSetup and SafetyAndHandling. I want to make sure that the keys is working properly, so I want to do the before-after comparison, however I just can't seem to show pages related to those keys. Just for information, I'm based in Japan and I've been using iPhone pro 16 and M2 iPad Pro for the testing. I believe that TapToSetup is apple tv-related, so I've tried various things such as having it in a same network or using the same apple account both in Apple TV and the iPhone/iPad but I can't get it to show. Any ideas?

Hello, I’d like to clarify the technical limitations around app updates in an Apple School Manager (ASM) + MDM environment. Environment • iOS/iPadOS devices supervised and managed via Apple School Manager • Apps are distributed via ASM (VPP / Custom App) and managed by MDM • Apps are App Store–signed (not Enterprise/In-House) • Some apps include NetworkExtension (VPN) functionality • Automatic app updates are enabled in MDM Question From a technical and platform-design perspective, is it possible to: Deploy app updates for ASM/MDM-distributed App Store apps via a separate/custom update server, and trigger updates simultaneously across all managed devices, bypassing or supplementing the App Store update mechanism? In other words: • Can an organization operate its own update server to push a new app version to all devices at once? • Or is App Store + iOS always the sole execution path for installing updated app binaries? ⸻ My current understanding (please correct if wrong) Based on Apple documentation, it seems that: 1. App Store–distributed apps cannot self-update • Apps cannot download and install new binaries or replace themselves. • All executable code must be Apple-signed and installed by the system. 2. MDM can manage distribution and enable auto-update, but: • MDM cannot reliably trigger an immediate update for App Store apps. • Actual download/install timing is decided by iOS (device locked, charging, Wi-Fi, etc.). 3. Custom update servers • May be used for policy decisions (minimum allowed version, feature blocking), • But cannot be used to distribute or install updated app binaries on iOS. 4. For ASM-managed devices: • The only supported update execution path is: App Store → iOS → Managed App Update • Any “forced update” behavior must be implemented at the app logic level, not the installation level. ⸻ What I’m trying to confirm • Is there any supported MDM command, API, or mechanism that allows: • Centralized, immediate, one-shot updates of App Store apps across all ASM-managed devices? • Or is the above limitation fundamental by design, meaning: • Organizations must rely on iOS’s periodic auto-update behavior • And enforce version compliance only via app-side logic? ⸻ Why this matters In large school deployments, delayed updates (due to device conditions or OS scheduling) can cause: • Version fragmentation • Inconsistent behavior across classrooms • Operational issues for VPN / security-related apps Understanding whether this limitation is absolute or if there is a recommended Apple-supported workaround would be extremely helpful. Thanks in advance for any clarification

We are having issues working with bypass codes the server creates when initiating Activation Lock through MDM. We are able to use the device-generated bypass codes without issue. When using the end point to request activation lock as specified in https://developer.apple.com/documentation/devicemanagement/creating-and-using-bypass-codes/ we get a 200 response. But when using the endpoint to bypass the activation lock, we get a 404 response. If we try to manually input the activation lock bypass code, it also does not work. Both of these methods work with the device-generated bypass codes. Just to clarify when testing the server generated codes, we ensured that we did not test the device-generated codes. All of this was tested on iOS devices. Created feedback ticket FB21365819 with device specific details.

Issue Using the DeviceInformationCommand API, the following device information can no longer be retrieved on iOS/iPadOS 26 and later. IMEI ICCID PhoneNumber This issue does not occur on devices running iOS/iPadOS 18.x or earlier. We would appreciate it if you could advise us on a solution to enable the retrieval of this information. Request XML <?xml version=\"1.0\" encoding=\"UTF-8\"?> <!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"> <plist version=\"1.0\"> <dict> <key>CommandUUID</key> <string><!-- Here is CommandUUID --></string> <key>Command</key> <dict> <key>RequestType</key> <string>DeviceInformation</string> <key>Queries</key> <array> <string>IMEI</string> <string>ICCID</string> <string>PhoneNumber</string> </array> </dict> </dict> </plist>

I came across this tool that enables supervised mode on iOS without resetting the data. it's essentially a macOS with a unix executable file underneath. a quick guide of how it works is here https://www.techlockdown.com/guides/enable-supervised-mode-iphone I would appreciate any guidance on how to recreate this, as this is behind a paywall, and would like to offer something similar for free to people who want to restrict their families devices.

Steps to Reproduce Step 1: Fetch Initial Device List Called the device list endpoint to retrieve all devices and saved the cursor: GET https://mdmenrollment.apple.com/server/devices Step 2: Modify Devices Added and deleted several devices via https://business.apple.com/ Step 3: Sync Without Pagination Called the sync endpoint using the cursor from Step 1 (no limit): GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor} Result: Returned 3 device records as expected: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" }, { "serial_number": "F70JJ4C16L", "op_type": "deleted", "op_date": "2025-12-11T07:04:36Z" }, { "serial_number": "C8RWGXZXJWF5", "op_type": "deleted", "op_date": "2025-12-11T07:04:52Z" } ], "more_to_follow": false } Step 4: Sync With Pagination (First Page) Called the sync endpoint using the same cursor from Step 1 with limit=1: GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor}&limit=1 Result: Returned 1 record with more_to_follow: true — indicating more data exists: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" } ], "more_to_follow": true, "cursor": "MTowOjE3NjU0MzgyNDI5ODc6..." } Step 5: Sync With Pagination (Second Page) Called the sync endpoint using the cursor from Step 4 with limit=1: { "devices": [], "more_to_follow": false } Expected Behavior When paginating with limit=1, the API should return all 3 records across 3 sequential requests. Actual Behavior Without pagination: Returns 3 records ✓ With pagination (limit=1): Returns only 1 record, then empty array ✗ 2 records are missing when using pagination. Impact This inconsistency makes the sync API unreliable for incremental device synchronization workflows.

Hi, everyone! Is there any way to change ACL of existing Private key in system keychain using MDM? We would like to add the binary or .app to access list of the key. I tried to send script via MDM which imported/exported our certificate with private key with required ACL. But can we change it without import/export?