Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. We are currently having some issues when attempting to restore device back ups via iCloud that where previously enrolled to our MDM solution, as upon the restore no app data seems to be persisted over (we have tested restoring the backup on the same device and we have been able to have data persist between wipes) On the initial device we have ensured that the restrictions allowCloudKeychainSync allowManagedAppsCloudSync are set to true, and can see that the initial devices back up has the app data backed up, yet despite this data is not persisted when restoring from back up on a new device. On the device where the back up was initially done when restoring the applications are applied but indicated that they must be re-installed via our management console, once the app has been uninstalled and reinstalled the old data does show up, when applied to the new device our mdm solution pushes down the app.managed config but the device treats it as a new install. Could this possibly be due to us using Device Licensing when assigning apps? Or is it due to the intial device only performing a token update request when restoring and the new device going through the entire checkin proccess? Both devices are provisioned via DEP, and applications where assigned initially via VPP Any insight on this would be useful (For reference this is an MDM solution of our own making so we are attempting to sus out if there is a configuration issue we could be overlooking).

Summary: When applying a configuration profile that uses allowListedAppBundleIDs to permit a defined set of apps, essential Apple Watch apps are unexpectedly removed from the paired Watch — even though their associated iPhone bundle IDs are explicitly included. This issue occurs with a minimal profile, and has been consistently reproducible on the latest versions of iOS and watchOS. Impact: This behavior severely limits the use of Apple Watch in managed environments (e.g., education, family management, accessibility contexts), where allowlisting is a key control mechanism. It also suggests either: Undocumented internal dependencies between iOS and watchOS apps, or A possible regression in how allowlists interact with Watch integration. Steps to Reproduce: Create a configuration profile with a Restrictions payload containing only the allowListedAppBundleIDs key. Allow a broad list of essential system apps, including all known Apple Watch-related bundle IDs: com.apple.NanoAlarm com.apple.NanoNowPlaying com.apple.NanoOxygenSaturation com.apple.NanoRegistry com.apple.NanoRemote com.apple.NanoSleep com.apple.NanoStopwatch com.apple.NanoWorldClock (All the bundles can be seen in the Attached profile) Install the profile on a supervised or non-supervised iPhone paired with an Apple Watch. Restart both devices. Observe that several core Watch apps (e.g. Heart Rate, Activity, Workout) are missing from the Watch. Expected Behavior: All apps explicitly included in the allowlist should function normally. System apps — especially those tied to hardware like Apple Watch — should remain accessible unless explicitly excluded. Actual Behavior: Multiple Apple Watch system apps are removed or hidden, despite their iPhone bundle IDs being listed in the allowlist. Test Environment: iPhone running iOS 18 Apple Watch running watchOS 11 Profile includes only the allowListedAppBundleIDs key Issue confirmed on fresh devices with no third-party apps Request for Apple Engineering: Please confirm whether additional internal or undocumented bundle IDs are required to preserve Apple Watch functionality when allowlisting apps. If this behavior is unintended, please treat this as a regression or bug affecting key system components. If intentional, please provide formal documentation listing all required bundle IDs for preserving Watch support with allowlisting enabled. Attachment: .mobileconfig profile demonstrating the issue (clean, minimal, reproducible) Attached test profile = https://drive.google.com/file/d/12YknGWuo1bDG-bmzPi0T41H6uHrhDmdR/view?usp=sharing

Hi. I am writing a little MDM application. Despite the basic task (add a password for 'remove profile' button in settings), it seems I am stuck with a problem: When I try to enroll my device with enrollment.mobileconfig file, Apple Configurator app, I receive an error The profile “Enrollment Profile” could not be installed because it is invalid. Make sure the profile is valid and try installing it again. The original architecture of my .mobileconfig contains of two payloads (com.apple.security.scep , com.apple.mdm), and it works correctly. However, when I try to add a third payload of com.apple.profileRemovalPassword , I receive the error stated above. From logs collected on iPhone, here's what was found : Failed to parse profile data. Error: NSError: Desc : The profile “Enrollment Profile” is invalid. Sugg : A profile containing an MDM payload must be removable. US Desc: The profile “Enrollment Profile” is invalid. US Sugg: A profile containing an MDM payload must be removable. Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError Params : ( "Enrollment Profile" ) ...Underlying error: NSError: Desc : A profile containing an MDM payload must be removable. US Desc: A profile containing an MDM payload must be removable. Domain : MCProfileErrorDomain Code : 1000 Type : MCFatalError Extra info: { isPrimary = 1; } My main dictionary contains HasRemovalPasscode Also, I have tried playing around with PayloadRemovalDisallowed setting it to true and false, however, I keep getting the same error message. There is also a second error produced: Profile MCConfigurationProfile, version 1: Display Name: “Enrollment Profile” Description : “***” Identifier : *** UUID : *** Organization: *** Is Stub : No Locked : Yes Removal passcode present Encrypted : No Trusted : 0 Signed : No Device Type : 0 Payloads: Payload MCSCEPPayload, version 1 Description : “***” Identifier : *** UUID : *** Type : com.apple.security.scep Display name: *** Organization: *** Payload MCMDMPayload, version 1 Description : “***” Identifier : *** UUID : *** Type : com.apple.mdm Organization: *** Payload MCRemovalPasswordPayload, version 1 Identifier : com.examp Can't parse profile: <decode: missing data> The code for com.apple.profileRemovalPassword is taken from apple documentation (https://developer.apple.com/documentation/devicemanagement/profileremovalpassword) I have also tried the automatic way - creating it from Apple Configurator, so it is correct in terms of syntax 100%. Several important notes: Creating a fresh new profile with just password removal protection single payload allows to perform a download of the profile If I comment out the whole com.apple.mdm payload block, I will be able to download this profile on iPhone also The com.apple.mdm block is also valid by itself, and works correctly I have tried implementing other types of "dummy" payloads - for example com.apple.dock <dict> <key>PayloadType</key> <string>com.apple.dock</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadIdentifier</key> <string>com.example.test.dock</string> <key>PayloadUUID</key> <string>22222222-3333-4444-5555-666666666666</string> <key>PersistentApps</key> <array/> </dict> And everything worked out fine. So my hypothetical conclusion out of these four notes might be in some type of interconnection between mdm and profileRemovalPassword, which isn't really listed anywhere? Or am I missing something ? Thank you in advance.

Hello world! First post here. Developing my first app. It primarily targets supervised and MDM managed devices. A few questions: For supervised devices, is serial number available? I want to get the number and use it for app auto activation Is MDM required for supervised devices? Or, as long as a device is enrolled through Apple Business Manager? Which capacity shall I request for the app? Thanks so much!

Hey. If i have a new idea for apple how can i reach out for you?

Hello Apple Developer Community, I am implementing the "Return to Service" feature with app preservation in our MDM solution (iOS 26+). My goal is to use the EraseDeviceCommand to securely erase user data while preserving managed apps, and then have the device automatically re-enroll without user interaction. What I am doing: The device is supervised and successfully enrolled in Automated Device Enrollment (ADE). The device has generated and escrowed a bootstrap token to our MDM server (SetBootstrapToken received). I am sending the EraseDeviceCommand to the device via MDM with the necessary parameters for Return to Service with app preservation. The command payload includes: Enabled: true The previously escrowed BootstrapToken (as Base64 data). WiFiProfileData (as Base64 data) to ensure connectivity post-erase. Example Payload Structure (Simplified): <key>ReturnToService</key> <dict> <key>Enabled</key> <true/> <key>BootstrapToken</key> <data>YOUR_BASE64_TOKEN</data> <key>WiFiProfileData</key> <data>YOUR_BASE64_WIFI_PROFILE</data> </dict> The observed behavior: The erase command is successful. The device performs the secure user data erase. Crucially, the managed applications are preserved and automatically installed again after the reboot (confirming app preservation is working). The device connects to the Wi-Fi network successfully. The issue: I am not seeing the GetBootstrapToken request from the device hit our MDM server's check-in URL during the post-erase setup assistant phase. The re-enrollment seems to complete, but this specific request is missing from our server logs. My questions: Is the GetBootstrapToken request an explicit check-in message type, or is it an implicit part of the general CheckIn process during ADE re-enrollment when the token is used? If the device successfully re-enrolls and preserves apps, is the explicit GetBootstrapToken request still expected? Or does the token included in the EraseDeviceCommand payload satisfy all authentication needs for this workflow? What specific conditions or capabilities on the MDM server side might prevent the device from sending this specific request, even if the overall process succeeds? Any insights from Apple engineers or other developers who have successfully implemented this flow would be greatly appreciated. Thank you!

Managed iOS/iPad devices are struck with no network under below conditions Enrolling a Supervised iOS device Send InstallProfile command with AppLock payload (https://developer.apple.com/documentation/devicemanagement/applock) Now when the above managed device loses network connection with MDM server due to unknown network issues - the device is out of contact with MDM server and device is locked. Since such AppLock payload installed devices are placed in remote locations, it becomes difficult for Admins to recover such devices with no network connectivity. The devices have to be brought in from remote location and recover them. Under such conditions, it would be better to allow the end user to change the Network configuration manually to reconnect the device with MDM server. This option can also be allowed only when the device can’t ping MDM server.

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

The question: Is there any chance that Apple will integrate Intune SDK into Apple apps such as Mail or Calendar, or create Siri-compatible Intune SDK-integrated versions of Mail and Calendar? The reason for the question: My team has been asked by VIPs in our company (e.g. execs and board members) if Siri can be used with Outlook, and the only way is through Shortcuts or by adding the Outlook account to Mail. Both of these options would violate our security policies for these reasons: Since our company policy and federal regulations don't permit us to allow access to company resources on non-MAM-protected apps, we can't allow our users to login to the Mail app and make full use of Siri, due to the lack of MAM controls for Mail and Calendar. We only allow users to transfer data between policy-managed apps which have integrated the Intune SDK allowing us to enforce DLP and other security measures. The only way to enable Shortcuts would be to disable these security measures.

Hello, wehave some Iphone in the family and noticed a strange issue: On a website the site admins renewed the webserver cert, and now most of the IOS devices( Iphone 15 / 15 Pro Max / Ipad 10) doesnot trust in the new cert, while the apple trustsin the rootCA webste: https://etitan.hu RootCA CN = NetLock Arany (Class Gold) Főtanúsítvány ios 18 trusted CAs:https://support.apple.com/en-us/121672 So any idea whats wrong ? On windows everything is OK !

Hello ! Currently, we have customers who use about 5,000 devices. In the case of ios26, the phone number is not acquired overall, and 18.x, 17.x, and 16.x are all acquired in half and not acquired in half. https://developer.apple.com/documentation/devicemanagement/deviceinformationcommand/command-data.dictionary/queries-data.dictionary It seems that it is the right behavior not to acquire it on the specification sheet. However, I wonder when it became impossible to acquire. (There are devices that can be acquired and devices that can't be acquired in the same os version.) Will the devices that are being acquired be blocked someday? When it was developed in 2019, it was in a state that could be acquired in full. I would also like to ask if there is an alternative way to get your phone number. Thank you.

Is it mandatory to get explicit user consent in iOS apps to collect their product usage data anonymously with something like mixpanel. Note: this is not for advertising purposes, but only to make the product better based on usage patterns.

Hello, I write my bachelor-thesis about geolocation data on an iPhone. I write a small app to get the actual coordinates and saved into a sqlite database. so far so far. Now I have a GPS-generator from R&S to simulate gps-data and satellites. I can simulate 6 satellites parallel to my "fake" geolocation. I write the app also on an Android -smartphone, this Android can display the Satellites-ID and the "fake" geolocation..thats fine for my thesis. But my iPhone would not display anything I this setup? During outside the app would be deliver the actual coordinate, but with the signal.genarator I can't get coordinates. I try GPS, Glosnass, Galileo and Beidoo but nothing happens on my iPhone 12mini. The IOS is 18.1 and I use the core Location api. Has anybody some ideas for me and my thesis?

Hello all, I’m hoping someone here has gone through the process of integrating an ERP system with the Apple GSX API and can offer some guidance. We’re currently working with an AASP who asked us to integrate our ERP with the Apple GSX API. It’s the first time for both of us, and we’re a bit stuck on how to properly get started. The AASP contacted their regional manager, who confirmed that an NDA and an Apple Developer Account would be necessary. However, he hasn’t handled this type of integration before and is still seeking internal guidance. That was a few months ago, and due to his workload, the AASP hasn’t heard back from him yet. Meanwhile, we’ve already enrolled in the Apple Developer Program and opened a support case, but we’ve been redirected to the forums since our case goes beyond standard support. So now we’re trying to understand: What steps need to be completed by the AASP? What are the steps we, as the ERP provider, need to take in order to receive API access? Are there any specific documents, applications, or technical requirements we should prepare in advance? We’d really appreciate any guidance or insight from others who have gone through this process — or even partial answers to help us move forward. Thanks in advance for your time!

Hi all, I'm implementing Intune MAM to secure applications on iOS. However, I need my users to be able to save files (e.g. attachments in an email in the Outlook app) to iOS Files. To do so, I'm trying to put Files in exception of my Intune MAM policy and I need to obtain the Files "CFBundleURLSchemes" value from the info.plist file of the Files app. I'm not able to get that information. Are any of you able to get that somehow? Thanks!

We have couple of devices that are registered into Platform SSO, and we have been noticing an issue when the user tried to login. After the users enters the password and hit the return key nothing happens, they need to hit the return key probably 10-15 times in order for the login to happen, the password entered is the correct one and it's just that hitting the return key doesn't invoke the login. On checking the log of the device one unusual thing that we noticed as compared to a different device where the login is working in a single go is that the AppSSOAgent or AppSSODaemon process were not getting invoked

We're currently facing an issue with Intune not automatically updating/downloading the updated build/app to end-user ios devices. It's worth noting that we've recently migrated the Xamarin project to a .NET-style SDK in this version. Previously, the app used to update automatically without any problems. We'd appreciate it if you could help us understand what might be causing this issue.

私は現在Intuneを使ったAppleIntelligenceの機能制限方法を調査しております。 AppleIntelligenceの機能のうち、以下5点を制御したく、その方法について教えてほしいです。 ・作文ツール ・Gen文字 ・写真(クリーンアップ機能等) ・さまたげ低減モード(通知の要約・優先順位機能含む) ・ChatGPTのサインイン(同期)・使用 今回ここに聞いた経緯としては、Microsoft社に本調査の確認をとったところ、 「制御後のデバイスの動作についてはAppleのペイロードを使用した制限のため、Appleに確認をとってほしい」 と伝えられたからです。 以下サイトではIntuneのAppleIntelligence機能の制御項目(MDM)が17項目ありますが、 ところどころ実動作について文章では理解ができない部分がありました。 ・https://techcommunity.microsoft.com/blog/intunecustomersuccess/microsoft-intune-support-for-apple-intelligence/4254037 AppleDeveloperサポートにも確認をとりましたが、以下サイトを紹介のみで、 特に追加の情報はありませんでした。 ・https://developer.apple.com/documentation/devicemanagement/restrictions 上記５機能を制限するためにはどの制限項目を使用すればよいでしょうか。

How to apply for Apple one-on-one consultation。 How to contact Cook

I want to side load a .ipa file from a Mac to iPhone connected to Mac via USB. I don't want to use ABM or enterprise account. Also these can be any number of unknown devices. Is there any way to set this up automatically?