Business & Education Q&A

Hello! I have two questions around automatic device migration in Apple Business: Does the mdm_migration_deadline field ever get removed from a device response? If so, when? Documentation of the field for reference: https://developer.apple.com/documentation/devicemanagement/device Is there a way to determine if a device has actually completed a migration? Documentation of device migration for reference: https://developer.apple.com/documentation/devicemanagement/migrating-managed-devices#Handle-migration-in-the-destination-device-management-service

Apple made it very clear that this year is declarative. The last four years I’ve had several feedbacks open for legacy app config, and the new ManagedApp framework app config. This has been a major blind spot to deploying apps via Apple Business (Essentials). I didn’t see any announcements for support, but to double check, is that coming? FB19980558 (Business Essentials: Add Support for Managed App Configuration (via UserDefaults) and newer Managed App Framework) 2025 FB13398533 (Business Essentials: Add ability to send managed application configuration to an application installed via Apple Small Business Essentials app) 2023 FB21371989 (ManagedApp: Create a swift-configuration ConfigProvider implementation backed with ManagedAppConfigurationProvider)

Hey guys, I posted a similar thread in Privacy channel earlier, but their engineer points me to here: https://developer.apple.com/forums/thread/831492 I'm building a managed macOS app (credential-provider extension) that needs an MDM-provisioned, hardware-bound, attested identity via the ManagedApp framework on macOS 27 which just released days ago, and I've hit a documentation contradiction. By reading through the docs, my understanding of the ManagedApp identity path is com.apple.configuration.app.managed → Identities → com.apple.asset.credential.acme. But the OS27 ACME schema says, for both HardwareBound and Attest: "On macOS, this is a required key. Set the value to false" (https://github.com/apple/device-management/blob/seed_OS_27_0/declarative/declarations/assets/credentials/acme.yaml#L66) — implying a software key. However, the macOS 27 release notes say ManagedApp deploys "hardware-bound identities" on macOS. So I am wondering that on macOS 27 + Apple silicon, can a ManagedApp-provisioned ACME identity actually be HardwareBound: true / Attest: true? If yes, is the acme.yaml "set to false on macOS" text just stale? If no, how is the documented "hardware-bound identities" capability delivered? And would that identity gonna be able to be used by the app / app extension? Thanks!

One of the pain points we have be trying to work around is Safari, and XProtect updates via MDM moving to Declarative. Right now we have a blend of OS update and upgrades via Global Settings or Enforcement Specific Declaration. However, the non OS updates are stuck on MDM commands to install thus admins cannot control install time when using Global Settings with Auto Actions. With the full removal of MDM commands for updates how can we have a flavor of version control and install time with Safari vs. keep to latest and Auto Actions?

I've noticed that there is a tab for Ads in Apple Business and would like to know more about how this would integrate with claiming a business location. As well as uploading photos of the business, what types of features would be rolled out in the future, if it will be a central place to manage business locations? If this is more towards the Maps & Location Q&A or both, please direct this to the correct Q&A section. Thank you

With all of the announcements and improvements to Siri and Apple Intelligence on macOS/iOS/iPadOS 27, organizatiosn continue to decide whether to allow/deny Apple Intelligence in part or in whole. With so much capability for on-device AI, and with new Profiles available to developers to route AI requests to remain on-device versus shipping to Private Cloud Compute, is there any way, undocumented or otherwise where organizations can begin to allow Apple Intelligence on if it's kept on-device only and not have the permission to offload to the cloud of an external AI provider such as ChatGPT?

In domain capture, could you include the option to manually send invitations to users before running the domain capture process for the entire domain? Currently, I see that the option exists, but only for marketing-related accounts.

Hello, Thanks for all these new amazing updates, With the changes regarding the management state not restored anymore from the backup on iOS 27, can we expect the following flow to work: Backup an iPhone, adding it to Apple Business and ADE, and restore the same backup during activation to trigger ADE enrollement while restoring the backup on the device ? Currently when users are migrating a device from unmanaged to managed we have them restore the backup on the buffer device, backup this buffer device and restore that backup on the original iPhone. It would be really helpful when customers are starting to manage existing devices. Thanks

For binary execution control on Endpoint Security — how granular are the code-signing matching rules, and what happens to a denied binary that's already running versus launched fresh? For the consolidated privacy consent prompt — does app.settings replace the privacy preferences we manage today, or coexist with them? Knowing whether it's a clean migration or a parallel system would help our planning. Thanks!