I've noticed that there is a tab for Ads in Apple Business and would like to know more about how this would integrate with claiming a business location. As well as uploading photos of the business, what types of features would be rolled out in the future, if it will be a central place to manage business locations? If this is more towards the Maps & Location Q&A or both, please direct this to the correct Q&A section. Thank you

With all of the announcements and improvements to Siri and Apple Intelligence on macOS/iOS/iPadOS 27, organizatiosn continue to decide whether to allow/deny Apple Intelligence in part or in whole. With so much capability for on-device AI, and with new Profiles available to developers to route AI requests to remain on-device versus shipping to Private Cloud Compute, is there any way, undocumented or otherwise where organizations can begin to allow Apple Intelligence on if it's kept on-device only and not have the permission to offload to the cloud of an external AI provider such as ChatGPT?

In domain capture, could you include the option to manually send invitations to users before running the domain capture process for the entire domain? Currently, I see that the option exists, but only for marketing-related accounts.

Hello, Thanks for all these new amazing updates, With the changes regarding the management state not restored anymore from the backup on iOS 27, can we expect the following flow to work: Backup an iPhone, adding it to Apple Business and ADE, and restore the same backup during activation to trigger ADE enrollement while restoring the backup on the device ? Currently when users are migrating a device from unmanaged to managed we have them restore the backup on the buffer device, backup this buffer device and restore that backup on the original iPhone. It would be really helpful when customers are starting to manage existing devices. Thanks

For binary execution control on Endpoint Security — how granular are the code-signing matching rules, and what happens to a denied binary that's already running versus launched fresh? For the consolidated privacy consent prompt — does app.settings replace the privacy preferences we manage today, or coexist with them? Knowing whether it's a clean migration or a parallel system would help our planning. Thanks!

We found an issue where the DetailURL configured in a Declarative Device Management OS update declaration is displayed on the device’s Software Update screen, but tapping the link does not open the URL on some iOS versions. This issue appears to occur specifically on iOS 26.4. The same behavior could not be reproduced on iOS 17.x or iOS 18.x devices using the same MDM command configuration and the same URL. Environment: MDM command: Declarative OS Update command Command configuration: Target OS Version: 26.5 Build Version: 23F77 DetailURL: Appleデバイスのソフトウェアアップデート宣言型構成 - Apple サポート (日本) Device requirements: Supervised iOS device Managed by MDM Connected to Wi-Fi OS update available No Safari restriction or browser launch restriction configuration profile applied Reproduction Steps: Prepare a supervised iOS device managed by MDM. Send a Declarative Device Management OS update command with the following configuration: Target OS Version: 26.5 Build Version: 23F77 DetailURL: Appleデバイスのソフトウェアアップデート宣言型構成 - Apple サポート (日本) After the command is applied, open the device Settings app. Go to General > Software Update. Confirm that the URL configured in DetailURL is displayed on the Software Update screen. Tap the displayed URL. Expected Result: The displayed DetailURL should open in Safari or the default browser. Actual Result: On iOS 26.4 devices, the URL is displayed on the Software Update screen, but tapping the link does not open Safari or navigate to the URL. On other tested iOS versions, the URL opens correctly. Test Results: Reproduced / Not working: iPhone 15 Pro, iOS 26.4: reproduced 3/3 iPhone 17e, iOS 26.4: reproduced Not reproduced / Working: iPhone SE, iOS 17.7: Safari opens successfully iPhone 14 Pro Max, iOS 17.6.1: Safari opens successfully, 0/3 reproduced iPhone 12 Pro, iOS 18.7.7: Safari opens successfully iPhone 11 Pro Max, iOS 18.7.8: Safari opens successfully, 0/3 reproduced Additional Notes: We confirmed that Safari usage restrictions and browser launch-related configuration profiles were not applied on the affected test device. A sysdiagnose was collected from the affected iPhone 15 Pro running iOS 26.4. From the logs, it appears that the Settings app / Preferences attempts to open Safari, but the URL cannot be opened. The log suggests that an invalid or unexpected URL may be passed from the Settings app when the Software Update screen link is tapped. This issue does not appear to be specific to the MDM server implementation, because the same Declarative OS Update configuration works correctly on iOS 17.x and iOS 18.x devices. Based on current testing, this may be an iOS 26.4-specific issue with how the Software Update screen handles the DetailURL link.

Hello, I’m trying to clarify whether the new Age Range / Age Assurance Setup Assistant pane can be skipped on macOS when using a standard MDM Device Enrollment flow, not Automated Device Enrollment. Environment: Platform: macOS Tahoe 26.5.1 Enrollment type: MDM Device Enrollment, not ADE / DEP MDM: Microsoft Intune Profile deployment channel: Device profile Payload type: com.apple.SetupAssistant.managed Key used: SkipSetupItems Skip items tested: AgeAssurance AgeBasedSafetySettings The configuration profile installs successfully on the Mac as a device profile. I can confirm that the com.apple.SetupAssistant.managed payload is present on the device and includes the tested SkipSetupItems values. However, the Age Range / age-related Setup Assistant pane is still shown to the user. Example payload content: <dict> <key>PayloadType</key> <string>com.apple.SetupAssistant.managed</string> <key>PayloadIdentifier</key> <string>com.example.setupassistant.managed</string> <key>PayloadUUID</key> <string>REDACTED-UUID</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadDisplayName</key> <string>Managed Setup Assistant</string> <key>SkipSetupItems</key> <array> <string>AgeAssurance</string> <string>AgeBasedSafetySettings</string> </array> </dict> What I expected: When the com.apple.SetupAssistant.managed payload is installed as a device-level profile and includes the relevant age-related skip keys, the Age Range / Age Assurance pane should be skipped during Setup Assistant, or Apple documentation should state clearly that this pane can only be skipped in ADE. What actually happens: The profile installs, but the Age Range / age-related Setup Assistant pane still appears to the user on macOS 26.5.1. Documentation ambiguity: Apple’s Setup Assistant payload documentation says: The supported payload identifier is com.apple.SetupAssistant.managed Supported operating systems/channels include macOS device and macOS user Supported enrollment methods include User Enrollment, Device Enrollment, and Automated Device Enrollment SkipSetupItems is a list of Setup Assistant panes that can be skipped Apple’s macOS Tahoe 26 enterprise notes say: “The new Age Range setup pane is automatically skipped for devices using Automated Device Enrollment.” That wording clearly mentions ADE, but I have not found documentation that explicitly states whether the Age Range pane is intentionally unsupported for non-ADE macOS MDM enrollment, or whether there is a separate skip key required for macOS. Third-party MDM/tooling documentation appears to reference the following newer skip keys: AgeAssurance AgeBasedSafetySettings However, it is unclear whether those keys are supported on macOS, iOS/iPadOS only, ADE only, or all MDM enrollment methods. Questions: Are AgeAssurance and AgeBasedSafetySettings valid SkipSetupItems values on macOS 26.5.1? If yes, are they supported only during Automated Device Enrollment, or should they also work with standard MDM Device Enrollment? If these keys are iOS/iPadOS-only, what is the correct macOS skip item for the Age Range / age-related Setup Assistant pane? Is the Age Range pane intentionally only auto-skipped in ADE on macOS? Should Apple’s public Device Management / SkipKeys documentation be updated to list the correct key names, supported platforms, minimum OS versions, and enrollment requirements? This is important for Mac deployments where devices are enrolled into MDM but are not assigned through Apple Business Manager / Automated Device Enrollment. At the moment, it is difficult to determine whether the behavior is expected, unsupported, or a bug in macOS / Setup Assistant / MDM profile handling. Thanks.

We use managed Apple accounts for all users in our environment. One of these accounts is associated with an App Store app. Currently the developer console has a banner that says: "There's no credit/debit card on the Apple Online Store associated with your Apple ID to auto-renew your membership." This account, as well as my own admin account, are unable to add a payment method to our Apple account. We're missing the "Payments & Shipping" button on the Manage Account page. How can we renew our developer subscription to keep our app on the App Store? It's critical for us that the account that owns this app is managed. TIA

Hi Team, Request your help with the below queries. Regarding target-local-date-time status item https://github.com/apple/device-management/blob/release/declarative/status/softwareupdate.pending-version.yaml#L59. The value reported is not the same sent to the device, looks like it is being converted into UTC and sent. Please confirm if this value sent here will be in UTC always, the github link mentions it will be local date time value and does not mention that i will be in UTC. In the softwareupdate.enforcement.specific schema it is clearly mentioned we should not use any timezone. Please find below a sample payload sent to the device and the status report from the device. Device time zone is IST ("Asia/Kolkata") Target local date time is property for iOS is not matching the schema. The property is "softwareupdate.target-local-date-time" instead of "target-local-date-time". Payload: {{"Identifier":"v1|CONFIGURATION|OS_UPDATE|26.5|8ba807e8-6a75-4c50-a379-b7363c4c82fc","ServerToken":"vH|86iQ8CT5QdgErs5ZNQXpUAX4YntAr5kMxkeRNHcXDKg=","Type":"com.apple.configuration.softwareupdate.enforcement.specific","Payload":{"TargetOSVersion":"26.5","TargetLocalDateTime":"2026-06-30T10:00:00"}} Status Report from device: "StatusItems" : { "softwareupdate" : { "install-state" : "downloading", "pending-version" : { "build-version" : "23F77", "os-version" : "26.5", "softwareupdate.target-local-date-time" : "2026-06-30 04:30:00 +0000" } } }, "Errors" : [ ] } For MacOS TimeZone value is not included in DeviceInformation command, even when the request Queries contains <string>TimeZone</string>. Please find below part of the request sent to the device. The device was on OS version 26.0, which is supported as per documentation. <plist Version="1.0"> <dict> <key>CommandUUID</key> <string>4a79dd95-e4bb-450b-96cc-82f61ae4c89e</string> <key>Command</key> <dict> <key>RequestType</key> <string>DeviceInformation</string> <key>Queries</key> <array> <string>DeviceName</string> <string>OSVersion</string> ... <string>TimeZone</string> .. </array> </dict> </dict> </plist>

Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility Platform: iOS | Distribution: MDM (Microsoft Intune) | Not App Store We are developing an internal enterprise iOS app (EMS Assist, com.company.supportcompanion) for Company deployed exclusively to Intune-managed devices. Our requirement: Read S/MIME certificates pushed to the device via Intune SCEP profiles to: Confirm cert presence in the MDM-managed keychain Read expiry date (kSecAttrNotValidAfter) to warn users before expiry Distinguish between missing, expired, and valid cert states What we have tried: Standard SecItemCopyMatching query — returns only app-installed certs, not MDM-pushed certs Graph API (deviceConfigurationStates) — confirms profile compliance but does not expose actual cert expiry or keychain presence Our understanding: com.apple.managed-keychain is required for an app to access MDM-managed keychain items on supervised devices, combined with a matching keychain-access-groups entitlement and the cert profile configured as "always available" in MDM. Questions: Is com.apple.managed-keychain the correct entitlement for this use case? Does it apply to SCEP/PKCS-issued certificates specifically, or only other MDM keychain items? Has anyone successfully accessed Intune-pushed S/MIME certs from an iOS app using this entitlement? Any guidance from the community or Apple engineers would be appreciated.

Hello I am looking at taking advantage of managing some features via DDM in an app. I noticed in the ServicesConfigurationFiles link (https://developer.apple.com/documentation/devicemanagement/servicesconfigurationfiles) it says You can create an executable that uses service configuration files by calling the mcf_service_path_for_service_type method in the libmanagedconfigurationfiles.dylib system library. You pass in an identifier for your service type and the method returns the file system path for the directory that contains the corresponding service configuration files. Use those files to override the standard or default configuration the executable would otherwise use. See libmanagedconfigurationfiles.h in the macOS SDK for more detail. I can't find any more references or information on mcf_service_path_for_service_type, libmanagedconfigurationfiles.dylib or libmanagedconfigurationfiles.h anywhere. Is there any information somewhere about this? Or how to use it? Or a POC small example?

I am interested in managing some configuration files for an app using Declarative Device Management (DDM) and noticed a blurb on the ServicesConfigurationFiles developer page that makes it seem like 3rd party apps can take advantage of DDM service files. But I'm not exactly sure how https://developer.apple.com/documentation/devicemanagement/servicesconfigurationfiles You can create an executable that uses service configuration files by calling the mcf_service_path_for_service_type method in the libmanagedconfigurationfiles.dylib system library. You pass in an identifier for your service type and the method returns the file system path for the directory that contains the corresponding service configuration files. Use those files to override the standard or default configuration the executable would otherwise use. See libmanagedconfigurationfiles.h in the macOS SDK for more detail I can't find any more details in the developer documentation on this. How would this be used? Could someone give an example or small POC?

Is system_profiler the recommended approach for retrieving installed application data on macOS? If not, what is the preferred and reliable alternative to fetch a consistent and complete list of installed applications?

Hi, We're implementing a DDM-capable MDM server. A DEP-enrolled, supervised iPad (iOS 26.4.2) successfully completes manifest synchronization but never proceeds to fetch the individual declaration bodies. Looking for guidance on what we might be missing. Observed flow (from our server logs): We enqueue a DeclarativeManagement MDM command and APNs-wake the device. The command body is: RequestTypeDeclarativeManagement (no Data field) Device acknowledges the command on the Connect endpoint (Status=Acknowledged). Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = tokens We respond 200 with: { "SyncTokens": { "DeclarationsToken": "", "Timestamp": "2026-05-19T..." } } Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = declaration-items We respond 200 with: { "Declarations": { "Activations": [{"Identifier":"...","ServerToken":"v1-..."}], "Configurations": [{"Identifier":"...","ServerToken":"v1-..."}], "Assets": [], "Management": [] }, "DeclarationsToken": "" } ---- Nothing further. ---- No request for Endpoint = declaration/activation/ No request for Endpoint = declaration/configuration/ No status report on Endpoint = status The MDM channel is healthy. The same device responds normally to non-DDM commands (DeviceInformation, etc.) immediately before and after this flow. Questions: Is an empty "Management" array acceptable in the declaration-items response, or is at least one declaration (e.g. com.apple.management. organization-info) required before the device will proceed to fetch declaration bodies? The DeclarationsToken returned in step 3 (tokens) and step 4 (declaration-items) are byte-identical. Is that correct, or should they differ in some way? Are there any additional preconditions for the device to begin fetching declaration bodies after receiving the manifest -- e.g. a specific Activation->Configuration linkage we might be missing? Is there a server-side log signal Apple can suggest we look for, or a way to see why the device decided not to fetch? Activation payload sample we publish: { "Type": "com.apple.activation.simple", "Identifier": "...", "ServerToken": "v1-...", "Payload": { "StandardConfigurations": ["<configuration-identifier-from-step-4>"] } } Configuration payload sample we publish: { "Type": "com.apple.configuration.softwareupdate.settings", "Identifier": "...", "ServerToken": "v1-...", "Payload": { ... softwareupdate settings ... } } Any pointers appreciated. Happy to share full server-side logs / payloads if useful. Thanks.

Hello Apple Developer Community, I'm experiencing an invalid_client error (HTTP 400) when attempting to authenticate with the Apple School Manager API using OAuth2 with JWT bearer assertion (RFC 7523). Despite verifying all configuration values and following Apple's documentation, I continue to receive this error. Error Details Error: invalid_client HTTP Status: 400 Bad Request Endpoint: https://appleid.apple.com/auth/oauth2/v2/token Response: {"error": "invalid_client"} My Configuration All values have been verified to match Apple School Manager exactly: Organization ID: 55155430 Key ID: 8136a1f6-c995-4010-b964-bc8278c107ef Client ID (Service ID): SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 Private Key: Loads correctly, signs JWT properly (ES256) JWT Configuration I'm generating a JWT with the following structure: Header: { "alg": "ES256", "kid": "8136a1f6-c995-4010-b964-bc8278c107ef", "typ": "JWT" } Payload: { "iss": "55155430", "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "aud": "https://appleid.apple.com", "iat": [timestamp], "exp": [timestamp + 30 days] } Token Request Method: POST Content-Type: application/x-www-form-urlencoded Parameters: grant_type: client_credentials client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion: [JWT token] scope: https://api.apple.com/auth/schoolmanager What I've Verified ✅ All configuration values match Apple School Manager exactly ✅ Private key file exists and loads correctly ✅ JWT is generated with correct structure (ES256, proper claims) ✅ Key ID in JWT header matches the Key ID from Apple School Manager ✅ Request format matches OAuth2 RFC 7523 specification ✅ Content-Type header is application/x-www-form-urlencoded ✅ Tried both Client ID and Organization ID as sub claim (both fail with same error) ✅ DNS resolution and API connectivity are working ✅ API account appears active in Apple School Manager interface What I've Tried Using Client ID as sub: Tried using SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 as the sub claim Using Organization ID as sub: Tried using 55155430 as the sub claim (fallback) With and without scope: Tried both including and excluding the scope parameter Different JWT expiration: Tried various expiration times (30 days, 180 days) Verified Service ID format: Confirmed the Client ID follows the SCHOOLAPI.xxxxx-xxxxx-xxxxx format Both attempts (Client ID and Organization ID as sub) return the same invalid_client error. Previous Support Interaction I've contacted Apple Developer Support (Case #102783504559). They confirmed: The technical implementation is correct The issue is an account access/permission problem My Apple Account email is not associated with any memberships The Account Holder must add me to the Enterprise team membership However, I'm posting here to see if anyone in the community has: Experienced similar issues and found a solution Additional technical insights about the invalid_client error Suggestions for what else to verify or try Questions Is there a specific format requirement for the sub claim? Should it be the Client ID (Service ID) or Organization ID? I've tried both. Are there any additional claims required in the JWT beyond iss, sub, aud, iat, exp? Could there be a backend issue with the API account even though it appears active in Apple School Manager? Has anyone successfully resolved an invalid_client error that wasn't related to account access? Is there a delay after creating an API account before it becomes fully active for authentication? Technical Details Language: Python (Flask) JWT Library: PyJWT with cryptography library Algorithm: ES256 (ECDSA P-256) OAuth2 Flow: Client Credentials Grant with JWT Bearer Assertion (RFC 7523) Error Log I've generated a detailed error log showing the exact request/response. The key points: HTTP 400 Bad Request Response: {"error":"invalid_client"} Same error occurs with both Client ID and Organization ID as sub Any Help Appreciated If anyone has encountered this issue or has insights into what might be causing it, I'd greatly appreciate your help. I'm happy to provide additional details or try any suggestions. Thank you! Case Number: 102783504559 API Account: Created in Apple School Manager Status: API account appears active, but authentication fails

Our organization is attempting to retrieve the External Version Identifier (EVID) history for all published versions. This data is required so that we can pass the exact externalVersionIdentifier integer to our deployment framework to pin specific app versions on our managed devices. We currently have an active App Store Connect account, but our attempts to fetch this data via standard publishing APIs return a 401 Unauthorized error. To help us resolve this technical blocker, please provide explicit engineering guidance on the following four points: API Endpoint Architecture: Is the enterprise Apps and Books for Organizations API (apple.com) the only platform that exposes the externalVersionId history for all versions? If so, what is the exact endpoint path we must call to return the full version-based EVID array? Account Requirements: Can these version-specific EVIDs be retrieved using our existing App Store Connect developer credentials, or is an Apple Business Manager (ABM) account strictly mandatory to bypass the 401 gate? ABM Portal Setup for EVIDs Only: If an ABM account is mandatory, what are the minimum technical steps required inside the ABM dashboard to fetch only the EVID data? Specifically, do we need to "purchase" a volume license for the target app to make its version history accessible via the API? Authentication Parameters: What is the correct token structure for this endpoint? Do we need to pass a specific location server token (sToken / itvt cookie) generated inside ABM alongside our signed developer JWT header? Thank you for your time and technical guidance. We look forward to your engineering team's response.

Buongiorno, In azienda abbiamo molti iPhone gestiti su ABM integrati con Intune, adesso il passaggio su nuovi dispositivi con ripristino dei dati non è possibile avvicinandoli perché la funzione “inizia subito“ non appare. Qualcuno conosce un sistema rapido per la migrazione dei dati da un iPhone a un altro che non sia il Finder? Grazie per l’aiuto

forum-post-v2-evidence.log MCRestrictionsPayload (allowListedAppBundleIDs) breaks Apple Watch app enumeration — nanotimekitcompaniond reports "Missing .app from directory: /Watch/" Summary Installing a Configuration Profile with com.apple.applicationaccess payload containing allowListedAppBundleIDs causes native Apple Watch apps to disappear from the paired Watch — even when their bundle IDs are explicitly in the whitelist. Log analysis shows this is not a bundle ID matching problem: nanotimekitcompaniond on the iPhone fails to enumerate the <companion>.app/Watch/ subdirectories where native watchOS app stubs live. Follow-up to https://developer.apple.com/forums/thread/745585 — community-confirmed but received no official response. Environment iPhone 16 (iPhone17,3), iOS 26.4.2 (23E261), supervised Apple Watch paired via Bridge.app Profile installed locally via Apple Configurator (no MDM server required) Smoking gun Within ~5 seconds of profile install, two processes (nanotimekitcompaniond and NTKFaceSnapshotService) log identical errors for eight companion-app paths: nanotimekitcompaniond[1498] <Error>: Missing .app from directory: file:///Applications/MobilePhone.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../Calculator.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../Bridge.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../MobileTimer.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../Camera.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../VoiceMemos.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../MobileMail.app/Watch/ nanotimekitcompaniond[1498] <Error>: Missing .app from directory: .../FindMy.app/Watch/ NTKFaceSnapshotService[3758] <Error>: Missing .app from directory: <same 8 paths> The Watch's app icons and face complications both go through these processes, which explains the symptoms users see. iOS itself flags the payload as Watch-incompatible — but applies it anyway profiled[179] <Notice>: Payload class MCRestrictionsPayload (com.apple.applicationaccess) is not supported on any Watch version profiled[179] <Notice>: Payload class MCRestrictionsPayload (com.apple.applicationaccess) is not available on HomePod profiled[179] <Notice>: Beginning profile installation... profiled[179] <Notice>: Profile "...v2..." installed. So profiled knows the payload doesn't target watchOS — yet its side effects clearly manifest there. Tests performed Test Bundle IDs in whitelist Result v1 249 (every installed iOS app: Apple + 3rd party) Walkie-Talkie, Messages, Find My + more disappear from Watch v2 295 (v1 + every Apple extension/Nano* daemon seen in syslog: *.MessagesActionExtension, *.FindMyNotifications*Extension, *.FindMyWidget*, com.apple.NanoBackup, com.apple.NanoMusicSync, com.apple.NanoPreferencesSync, com.apple.NanoTimeKit.face, com.apple.NanoUniverse.AegirProxyApp, com.apple.tursd, com.apple.FaceTime.FTConversationService, com.apple.Bridge.GreenfieldThumbnailExtension, etc.) Identical Missing-.app errors. Same apps disappear. Conclusion: this is not a bundle ID matching issue — adding more IDs doesn't help. The system fails to enumerate <companion-iOS-app>.app/Watch/ regardless of whitelist contents. Many users in my prior thread reported trying 100+ bundle ID combinations without success; this evidence explains why. Reproduction (no MDM required) Pair Apple Watch with iPhone normally. Generate a Configuration Profile with com.apple.applicationaccess + any non-empty allowListedAppBundleIDs array. Install via Apple Configurator's cfgutil install-profile, or AirDrop + Settings → Install. Within ~5 s, nanotimekitcompaniond errors appear (visible via idevicesyslog). Native Watch apps backed by an iOS companion stub disappear from the Watch's app grid and from face complications. Hypothesis MCRestrictionsPayload applies an enumeration filter that does not descend into .app/Watch/ subdirectories when computing visible apps. nanotimekitcompaniond consequently sees those directories as missing, the Watch's Carousel (SpringBoard equivalent) hides the apps, and NTKFaceSnapshotService can't load corresponding complications. Because profiled itself logs the payload as "not supported on any Watch version", this appears to be unintended bleed-through. Questions for Apple Is MCRestrictionsPayload / allowListedAppBundleIDs officially supposed to affect Apple Watch apps? profiled says no. Is there an undocumented bundle ID pattern (e.g. <companion>.watchapp, or a Bridge.app/Watch/ prefix) that needs whitelisting to keep native Watch apps visible? Is the recommended workaround to use blacklistedAppBundleIDs instead? Should the enumeration error (Missing .app from directory: .../Watch/) be tracked as a separate watchOS framework bug? Artifacts Curated evidence log with timestamps, profile installer events, and the eight Missing-.app errors is attached as forum-post-v2-evidence.log. Full idevicesyslog captures (multiple install/remove cycles, ~2M log lines) and the .mobileconfig files are available on request. Thanks — looking forward to guidance.

Summary: When applying a configuration profile that uses allowListedAppBundleIDs to permit a defined set of apps, essential Apple Watch apps are unexpectedly removed from the paired Watch — even though their associated iPhone bundle IDs are explicitly included. This issue occurs with a minimal profile, and has been consistently reproducible on the latest versions of iOS and watchOS. Impact: This behavior severely limits the use of Apple Watch in managed environments (e.g., education, family management, accessibility contexts), where allowlisting is a key control mechanism. It also suggests either: Undocumented internal dependencies between iOS and watchOS apps, or A possible regression in how allowlists interact with Watch integration. Steps to Reproduce: Create a configuration profile with a Restrictions payload containing only the allowListedAppBundleIDs key. Allow a broad list of essential system apps, including all known Apple Watch-related bundle IDs: com.apple.NanoAlarm com.apple.NanoNowPlaying com.apple.NanoOxygenSaturation com.apple.NanoRegistry com.apple.NanoRemote com.apple.NanoSleep com.apple.NanoStopwatch com.apple.NanoWorldClock (All the bundles can be seen in the Attached profile) Install the profile on a supervised or non-supervised iPhone paired with an Apple Watch. Restart both devices. Observe that several core Watch apps (e.g. Heart Rate, Activity, Workout) are missing from the Watch. Expected Behavior: All apps explicitly included in the allowlist should function normally. System apps — especially those tied to hardware like Apple Watch — should remain accessible unless explicitly excluded. Actual Behavior: Multiple Apple Watch system apps are removed or hidden, despite their iPhone bundle IDs being listed in the allowlist. Test Environment: iPhone running iOS 18 Apple Watch running watchOS 11 Profile includes only the allowListedAppBundleIDs key Issue confirmed on fresh devices with no third-party apps Request for Apple Engineering: Please confirm whether additional internal or undocumented bundle IDs are required to preserve Apple Watch functionality when allowlisting apps. If this behavior is unintended, please treat this as a regression or bug affecting key system components. If intentional, please provide formal documentation listing all required bundle IDs for preserving Watch support with allowlisting enabled. Attachment: .mobileconfig profile demonstrating the issue (clean, minimal, reproducible) Attached test profile = https://drive.google.com/file/d/12YknGWuo1bDG-bmzPi0T41H6uHrhDmdR/view?usp=sharing

We've put in a feedback assistant request, but not sure if we will get feedback in that channel or not and also want to highlight for others. When replacing a basic passcode profile on a macOS device with a passcode declaration, the user is required to change the password after logging out and back in. Explicitly including the "ChangeAtNextAuth" key set equal to false, set required a password change after logging out and back in. Once the declaration is active and the password has been changed, future updates to the passcode declaration do not require a password change unless the existing password is not compliant. Steps to reproduce: Install a basic passcode profile on a macOS device Ensure the existing password matches the requirements specified in the profile Install a passcode declaration with the same settings as the passcode profile currently installed Remove the traditional passcode profile from the device After the passcode declaration is installed, check the local pwpolicy with the command pwpolicy getaccountpolicies and look for the key policyAttributePasswordRequiredTime Log out of the macOS device Log back into the macOS device and you are presented with a change password prompt Expected result: Simply replacing an existing passcode profile with the exact same settings in a passcode declaration should not require a password change if the existing password is compliant. Actual results: After replacing the passcode profile with a passcode declaration, a password change was required even though the existing password was compliant. Initial testing was done with a macOS VM running 15.5. Additional testing has now been done with a macOS VM running 26.4.1 and the same behavior was observed.