Hi There Our app is used in the hospital field and receives remote APNS via the Notification Service Extension. We found a scenario where screen is on, our app is in background, if a "Critical" notification is displayed as a banner at the top of the screen, subsequent normal notifications will be suppressed and no sound will play. Only after the user swipes away the critical notification will the normal notification appear and play a sound. is this as expected? I could not find any document on such case from Apple. Thanks.

It's a great platform to grow your knowledge. Apple Teacher

Hello, according to reports from our users these two ManagedSettingsStore options seem to be stuck in the enabled state even after turning them off or removing screen time permissions and uninstalling the app that configured them. Is this possible? Has anyone seen it? The denyAppRemoval (https://developer.apple.com/documentation/managedsettings/applicationsettings/denyappremoval-swift.property) prevents the user from uninstalling any apps from their device when active. The denyAppInstallation (https://developer.apple.com/documentation/managedsettings/applicationsettings/denyappinstallation-swift.property) "hides" App Store, making it impossible to install any new apps. We haven't been able to replicate it yet. Does anyone know about workarounds when this happens? So far it seems like the only way is to reset the affected device.

We've disabled FUS through a config profile, but users can still access FUS by enabling the MenuBar/Control Center icons. My org would like to prevent access to FUS so I've created a config profile. But the profile doesn't seem to work. Anyone have any ideas what I'm missing, or is this an OS bug? <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadDisplayName</key> <string>macOS - Tahoe - Disable Fast User Switching Control Center</string> <key>PayloadIdentifier</key> <string>com.myorg.fast-user-switching</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadUUID</key> <string>f1a2b3c4-d5e6-7890-abcd-ef1234567890</string> <key>PayloadVersion</key> <integer>1</integer> <key>TargetDevmyorgType</key> <integer>5</integer> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.controlcenter</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.apple.controlcenter.57EBEF9E-E568-411E-AE27-500AD98C94F4</string> <key>PayloadUUID</key> <string>f1a2b3c4-d5e6-7890-abcd-ef1234567890</string> <key>UserSwitcher</key> <integer>8</integer> </dict> <dict> <key>PayloadType</key> <string>.GlobalPreferences</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>.GlobalPreferences.71DE1486-60BC-4CB9-890D-AD50A772890D</string> <key>PayloadUUID</key> <string>c5234012-e0sw-2066-6fl8-3bd5p8125op7</string> <key>MultipleSessionEnabled</key> false/> </dict> </array> </dict> </plist>

This is in reference to the feedback ticket : https://feedbackassistant.apple.com/draft/57929340, we would like to know if there are any test enterprise websites that Apple can suggest to test passkeys declaration.

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

May I know the checking mechanism for the ios Provisioning profile? Is my Apple app distributed by MDM inside the organisation? If the Provisioning profile is expired , what is the behaviour when user run the App and how to perform the checking mechanism , is it performed at user client side device or Apple server via online access.

I am trying to find clarification on something. We are seeing strange cases where customer devices seem to unenroll themselves after a period of MDM inactivity. This seems to tie into roughly when their identity certificate has expired. We can't confirm this because the device has since unenrolled. Is there any case where an Apple device will automatically unenroll if it's identity certificate has expired? This doesn't always seem to happen - I had a device respond immediately after being switched off for a year - but could this be down to some devices being DEP enrolled and others manually enrolled?

Dear Apple Developer Team, Following the rollout of iOS 26.x and the introduction of the iPhone 17, we have identified a critical issue affecting Mobile Device Management (MDM) enrolment and restore operations. The issue appears to stem from the Device Management Profile configuration 'do_not_use_profile_from_backup' within Apple Business Manager (ABM), which currently defaults to False. This setting should be modified to True to ensure proper functionality. When the profile remains set to False, organisations leveraging MDM encounter repeated failures during device backup and restore operations. Specifically, restoring a supervised or managed device triggers a persistent MDM registration loop, effectively preventing deployment of iPhone 17 devices in managed environments. We recommend that Apple review and adjust the default Device Management Profile property within ABM to address this issue and restore full MDM compatibility for iOS 26.x and later.

I have a question regarding MDM functionality for iOS/iPadOS. Background: According to Apple's support page(https://support.apple.com/en-us/125073), since iOS 26.1, "Previous Wi-Fi configurations will be replaced when a new profile is installed." We have observed that because of this change, when we apply a Wi-Fi configuration profile to an iPad via MDM, the manually configured network settings on the device (specifically, "Configure IPv4" and "Configure DNS") are reset to "Automatic". This erases the manually entered IP address, subnet mask, router, and DNS server addresses. Goal: We want to apply a Wi-Fi configuration profile from our MDM server to connect the device to a specific SSID, while preserving the manual IP and DNS settings that have been configured on the device. Question: Is there a way to prevent the IPv4 and DNS settings from being switched from "Manual" to "Automatic" when applying the configuration profile? For example, is there a specific key-value pair we can add to the profile to either preserve the existing manual settings, or to explicitly define manual/static IP settings within the profile itself for iOS/iPadOS? Reference: Sample Configuration Profile Below is a simplified version of the Wi-Fi configuration profile we are currently using. This profile does not contain any keys for IP address configuration. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadIdentifier</key> <string>com.apple.wifi.managed.13E2E6B3-D4B9-4E23-888A-524B3ED40C38</string> <key>PayloadUUID</key> <string>13E2E6B3-D4B9-4E23-888A-524B3ED40C38</string> <key>PayloadVersion</key> <integer>1</integer> <key>SSID_STR</key> <string>SSID</string> <key>EncryptionType</key> <string>WPA</string> <key>Password</key> <string>Password</string> </dict> </array> <key>PayloadType</key> <string>Configuration</string> </dict> </plist>

I've been running the betas fine for a while, now, where do you want to go??

Issue Description: We are experiencing MDM profile installation failures specifically on iPhone 17 devices. After extensive testing and comparison between affected and working devices, we suspect this appears to be a parameter transmission error rather than device settings. Technical Analysis: Device Settings Comparison: No differences found between problematic and working devices in system settings, indicating this is not a configuration issue. Suspected Parameter Transmission Error: • Device model information appears to be restricted or blocked during profile download • User ID and phone number parameters are not being transmitted to the server • Installation logs show missing login ID and phone number entries Symptoms: • During MDM profile installation, the "Apps & Restrictions" section that should appear is missing • Profile download parameters are suspected to not be properly transmitted to the server • Installation process fails at the profile configuration stage Critical Finding: When we cloned a previously working device to create a problematic device configuration, the cloned device also began experiencing the same installation failures. This strongly suggests the issue is related to device-specific parameters or identifiers. Additional Information: We continue to receive reports of this issue from our iPhone 17 users, and these reports are occurring across various iOS versions. Request for Assistance: Has anyone encountered similar MDM profile installation issues on iPhone 17? Are there known limitations or changes in how device parameters are transmitted during MDM enrollment on this model? Any guidance on debugging parameter transmission or known workarounds would be greatly appreciated.

I have created a jwt token with headers { 'typ': 'JWT', 'alg': 'RS256' } and claim as : { 'iss': dep server UUID from Accounts call, 'iat': epoc time in seconds, 'jti': random uuid, 'service_type': 'com.apple.maid' } And signed the token with private key created during DEP MDM server creation. On the device I see Verification error when tried to login with Managed Apple account. In ABM, Access management setting was set to Managed Devices /Supervised only. Any help would be appreciated.

I need to verify my domain for Apple Pay but I'm on Shopify. Domain: blissta.co File IS accessible: https://blissta.co/.well-known/apple-developer-merchantid-domain-association But verification fails because it's a redirect, not direct hosting. Shopify doesn't allow .well-known folder creation. Has anyone solved this? Need either: Way to make Apple accept redirects Shopify workaround for direct file hosting Manual verification from Apple Using Authorize.net gateway. Case #102711828925

Hi Community, The Leverage macOS has with Bootstrap token is immense using the same for Software Updates, Erase Device and new Local Account Creation in System Settings While I refer From IT Deployment Guide Which States the below For a Mac with macOS 10.15.4 or later, when a secure token-enabled user logs in for the first time, macOS generates a bootstrap token and escrows it to a device management service. I even tested out the Statement using Automated Device Enrollment Workflow ( With AutoAdmin Account Only, With Both AutoAdmin Account , Primary Account ) and it Granted BootStrap Token Immediately upon login How ever with User-Initiated Enrollments it differs like below Sometimes upon installation of MDM Profile in macOS Immediately the BootstrapToken is sent to MDM Sometimes the BootStrapToken is not immediately sent, so I need to logout , login with the Secure Token enabled user for macOS to escrow BootStrapToken to MDM Sometimes Even when I followed the pointer as in 2) like logout / login from a SecureToken Enabled user the BootStrapToken is not escrowed to MDM , Which Affects the OSUpdates, Erasing Capabilities to be used precisely with MDM Protocol Can someone Please Help with the Flow for BootStrapToken Generation / issuance to MDM incase for User-Initiated Enrollment

We have couple of devices that are registered into Platform SSO, and we have been noticing an issue when the user tried to login. After the users enters the password and hit the return key nothing happens, they need to hit the return key probably 10-15 times in order for the login to happen, the password entered is the correct one and it's just that hitting the return key doesn't invoke the login. On checking the log of the device one unusual thing that we noticed as compared to a different device where the login is working in a single go is that the AppSSOAgent or AppSSODaemon process were not getting invoked

Hello Apple Developer Community, I'm experiencing an invalid_client error (HTTP 400) when attempting to authenticate with the Apple School Manager API using OAuth2 with JWT bearer assertion (RFC 7523). Despite verifying all configuration values and following Apple's documentation, I continue to receive this error. Error Details Error: invalid_client HTTP Status: 400 Bad Request Endpoint: https://appleid.apple.com/auth/oauth2/v2/token Response: {"error": "invalid_client"} My Configuration All values have been verified to match Apple School Manager exactly: Organization ID: 55155430 Key ID: 8136a1f6-c995-4010-b964-bc8278c107ef Client ID (Service ID): SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 Private Key: Loads correctly, signs JWT properly (ES256) JWT Configuration I'm generating a JWT with the following structure: Header: { "alg": "ES256", "kid": "8136a1f6-c995-4010-b964-bc8278c107ef", "typ": "JWT" } Payload: { "iss": "55155430", "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "aud": "https://appleid.apple.com", "iat": [timestamp], "exp": [timestamp + 30 days] } Token Request Method: POST Content-Type: application/x-www-form-urlencoded Parameters: grant_type: client_credentials client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion: [JWT token] scope: https://api.apple.com/auth/schoolmanager What I've Verified ✅ All configuration values match Apple School Manager exactly ✅ Private key file exists and loads correctly ✅ JWT is generated with correct structure (ES256, proper claims) ✅ Key ID in JWT header matches the Key ID from Apple School Manager ✅ Request format matches OAuth2 RFC 7523 specification ✅ Content-Type header is application/x-www-form-urlencoded ✅ Tried both Client ID and Organization ID as sub claim (both fail with same error) ✅ DNS resolution and API connectivity are working ✅ API account appears active in Apple School Manager interface What I've Tried Using Client ID as sub: Tried using SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 as the sub claim Using Organization ID as sub: Tried using 55155430 as the sub claim (fallback) With and without scope: Tried both including and excluding the scope parameter Different JWT expiration: Tried various expiration times (30 days, 180 days) Verified Service ID format: Confirmed the Client ID follows the SCHOOLAPI.xxxxx-xxxxx-xxxxx format Both attempts (Client ID and Organization ID as sub) return the same invalid_client error. Previous Support Interaction I've contacted Apple Developer Support (Case #102783504559). They confirmed: The technical implementation is correct The issue is an account access/permission problem My Apple Account email is not associated with any memberships The Account Holder must add me to the Enterprise team membership However, I'm posting here to see if anyone in the community has: Experienced similar issues and found a solution Additional technical insights about the invalid_client error Suggestions for what else to verify or try Questions Is there a specific format requirement for the sub claim? Should it be the Client ID (Service ID) or Organization ID? I've tried both. Are there any additional claims required in the JWT beyond iss, sub, aud, iat, exp? Could there be a backend issue with the API account even though it appears active in Apple School Manager? Has anyone successfully resolved an invalid_client error that wasn't related to account access? Is there a delay after creating an API account before it becomes fully active for authentication? Technical Details Language: Python (Flask) JWT Library: PyJWT with cryptography library Algorithm: ES256 (ECDSA P-256) OAuth2 Flow: Client Credentials Grant with JWT Bearer Assertion (RFC 7523) Error Log I've generated a detailed error log showing the exact request/response. The key points: HTTP 400 Bad Request Response: {"error":"invalid_client"} Same error occurs with both Client ID and Organization ID as sub Any Help Appreciated If anyone has encountered this issue or has insights into what might be causing it, I'd greatly appreciate your help. I'm happy to provide additional details or try any suggestions. Thank you! Case Number: 102783504559 API Account: Created in Apple School Manager Status: API account appears active, but authentication fails

Hi there, We’re testing Declarative Device Management (DDM) for VPP app management and followed the latest declaration template here: https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/app.managed.yaml Our goal is to enable VPP auto-updates via the declaration. The payload we’re using looks like this: "AppStoreID": "1231325957", "InstallBehavior": "{\"Install\": \"Required\", \"License\": {\"Assignment\": \"Device\"}}", "UpdateBehavior": "{\"AutomaticAppUpdates\": \"AlwaysOn\"}" } What we’re seeing Device A (no Apple ID signed into App Store): User can manually update the VPP app with the above declaration in place. ( The same user cannot update the app if UpdateBehavior is not in the declaration payload. Device B (Apple ID signed into App Store, and the same Apple ID doesn't have the above app purchased): User cannot manually update the same VPP app. The App Store shows the error seen when UpdateBehavior is absent: “ cannot be updated because it was refunded or purchased with a different Apple Account.” Also, in this case, the user has no way to purchase the (free) app by their own as the app shows as owned/managed by MDM server. We have to remove the declaration, let the user purchase the same app, then re-deploy the declaration to allow the user to click that "Update" button when a new version for that app is available. Additionally, we’re unsure about the criteria/timing for automatic VPP app updates under DDM. After a new version became available, we waited several hours but the app did not auto-update. Repro summary App: VPP, device-assigned license Declaration: AutomaticAppUpdates = AlwaysOn, install required Device A: not signed into App Store → manual update allowed Device B: signed into App Store → manual update blocked with “refunded/different account” error Auto-update did not occur after waiting several hours post-release Any guidance, confirmation of expected behavior, or tips on additional logging we should collect (e.g., specific App Store / MDM / DDM logs and subsystems) would be greatly appreciated. If this is a known issue or requires a Feedback Assistant report, we’re happy to file one. Thanks,

I have come across this Hideable attribute for managed apps, introduced in iOS 18.1, and I've encountered some behavior that seems to contradict the official documentation. According to Apple's documentation for app.managed.yaml, setting the Hideable key to false under the Attributes section should prevent a user from hiding the app. The documentation explicitly states: If false, the system prevents the user from hiding the app. It doesn't affect the user's ability to leave it in the App Library, while removing it from the Home Screen. I have configured this in my app.managed.yaml and successfully applied the profile to my test device via our MDM server. However, I am still able to hide the application from both the Home Screen and the App Library. Here are the steps I'm taking to hide the app: Long-press the app icon on Home Screen Select "Require Touch ID" Select "Hide and Require Touch ID" Authenticate using Touch ID Select "Hide App" After these steps, the app is no longer visible on the Home Screen or in the App Library, which is contrary to the behavior described in the documentation for when Hideable is set to false. My question is: Is this a known issue or a potential bug in iOS 18.1? Or, is there an additional configuration profile or a specific device supervision requirement that I might be missing to enforce this restriction correctly? Any clarification would be greatly appreciated! Thank you!

We are facing an issue with Platform SSO registration on macOS devices for AD-bound user accounts with Microsoft EntraID configuration. We are using the Platform SSO payload on macOS devices integrated with Entra ID, and it works as expected — registration completes successfully, and the password syncs with the Entra ID password. However, when we try the same on macOS devices with AD-bound (mobile) user accounts, the registration does not complete. To elaborate, the process successfully completes the initial WebView authentication but fails at the stage where Apple prompts for the password to sync the local macOS user’s password with the Entra ID password. It does not display any error, and even after entering a valid password, the process does not proceed further. However, when we try the same on a non-AD user account, it works fine. We have checked with Microsoft, and they confirmed that there are no restrictions on their side for AD-bound accounts. Since the issue appears to occur at the Apple system level, they advised us to reach Apple teams on this. Could you please check and let us know how we can proceed with this? Payload used: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>ExtensionIdentifier</key> <string>com.microsoft.CompanyPortalMac.ssoextension</string> <key>PayloadDisplayName</key> <string>Extensible Single Sign-On Payload</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.B408A658-3DAF-41FF-8A5D-AE77B380CB7B</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>D506CAFD-C802-41F2-9C3E-DF5289C315FF</string> <key>PayloadVersion</key> <integer>1</integer> <key>PlatformSSO</key> <dict> <key>AccountDisplayName</key> <string>EntraID</string> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableCreateUserAtLogin</key> <true/> <key>LoginFrequency</key> <integer>3700</integer> <key>LoginPolicy</key> <array> <string>AttemptAuthentication</string> </array> <key>NewUserAuthorizationMode</key> <string>Admin</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Admin</string> </dict> <key>ScreenLockedBehavior</key> <string>DoNotHandle</string> <key>TeamIdentifier</key> <string>UBF8T346G9</string> <key>Type</key> <string>Redirect</string> <key>URLs</key> <array> <string>https://login.microsoftonline.com</string> <string>https://sts.windows.net</string> <string>https://login.partner.microsoftonline.cn</string> <string>https://login.chinacloudapi.cn</string> <string>https://login.microsoftonline.us</string> <string>https://login.microsoft.com</string> <string>https://login-us.microsoftonline.com</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Platform SSO</string> <key>PayloadIdentifier</key> <string>42GBHOLAP04621.1BD5B6D9-640B-4DC3-9275-56DDD191A5FB</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>58548FC6-38D9-4B28-9EDF-BEEAB03BAB23</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>