Thanks for the announcements and new features coming with device management. I noticed that there is a new declarative management that was mentioned in the list of videos under business & education. What would this compose of and how would this integrate into existing apple business accounts? Is there also newer features that would make deployment of devices faster or improved work flows? Thank you

We would like to enforce the use of Managed Apple IDs on company-owned devices. At the same time, users should be able to install free applications on their own without requiring administrators to deploy every app through MDM, as this creates additional administrative overhead. Why is this required? The primary objective is to ensure that company-owned devices are used only with corporate-managed accounts and to prevent corporate data from being synced, backed up, or transferred to employees' personal iCloud accounts. This helps protect organizational data and reduces the risk of company information remaining accessible after an employee leaves the organization or stops using the device. We are looking for a solution that enforces Managed Apple ID usage while still allowing users the flexibility to install free apps independently.

Reading from the API documentation, we want to confirm that the subscription licenses must be bundled with clientuserid strings. Does that mean the app needs to also be assigned to the user, of can the app be assigned to the device and then the subscription assigned to the user after the fact?

Hi, Where can I have access to the newly introduced web login for Platform Single Sign-on? It would be very nice to see it and to learn how to implement the token exchange flow.

Hello! I have two questions around automatic device migration in Apple Business: Does the mdm_migration_deadline field ever get removed from a device response? If so, when? Documentation of the field for reference: https://developer.apple.com/documentation/devicemanagement/device Is there a way to determine if a device has actually completed a migration? Documentation of device migration for reference: https://developer.apple.com/documentation/devicemanagement/migrating-managed-devices#Handle-migration-in-the-destination-device-management-service

Apple made it very clear that this year is declarative. The last four years I’ve had several feedbacks open for legacy app config, and the new ManagedApp framework app config. This has been a major blind spot to deploying apps via Apple Business (Essentials). I didn’t see any announcements for support, but to double check, is that coming? FB19980558 (Business Essentials: Add Support for Managed App Configuration (via UserDefaults) and newer Managed App Framework) 2025 FB13398533 (Business Essentials: Add ability to send managed application configuration to an application installed via Apple Small Business Essentials app) 2023 FB21371989 (ManagedApp: Create a swift-configuration ConfigProvider implementation backed with ManagedAppConfigurationProvider)

Hey guys, I posted a similar thread in Privacy channel earlier, but their engineer points me to here: https://developer.apple.com/forums/thread/831492 I'm building a managed macOS app (credential-provider extension) that needs an MDM-provisioned, hardware-bound, attested identity via the ManagedApp framework on macOS 27 which just released days ago, and I've hit a documentation contradiction. By reading through the docs, my understanding of the ManagedApp identity path is com.apple.configuration.app.managed → Identities → com.apple.asset.credential.acme. But the OS27 ACME schema says, for both HardwareBound and Attest: "On macOS, this is a required key. Set the value to false" (https://github.com/apple/device-management/blob/seed_OS_27_0/declarative/declarations/assets/credentials/acme.yaml#L66) — implying a software key. However, the macOS 27 release notes say ManagedApp deploys "hardware-bound identities" on macOS. So I am wondering that on macOS 27 + Apple silicon, can a ManagedApp-provisioned ACME identity actually be HardwareBound: true / Attest: true? If yes, is the acme.yaml "set to false on macOS" text just stale? If no, how is the documented "hardware-bound identities" capability delivered? And would that identity gonna be able to be used by the app / app extension? Thanks!

One of the pain points we have be trying to work around is Safari, and XProtect updates via MDM moving to Declarative. Right now we have a blend of OS update and upgrades via Global Settings or Enforcement Specific Declaration. However, the non OS updates are stuck on MDM commands to install thus admins cannot control install time when using Global Settings with Auto Actions. With the full removal of MDM commands for updates how can we have a flavor of version control and install time with Safari vs. keep to latest and Auto Actions?

I've noticed that there is a tab for Ads in Apple Business and would like to know more about how this would integrate with claiming a business location. As well as uploading photos of the business, what types of features would be rolled out in the future, if it will be a central place to manage business locations? If this is more towards the Maps & Location Q&A or both, please direct this to the correct Q&A section. Thank you

With all of the announcements and improvements to Siri and Apple Intelligence on macOS/iOS/iPadOS 27, organizatiosn continue to decide whether to allow/deny Apple Intelligence in part or in whole. With so much capability for on-device AI, and with new Profiles available to developers to route AI requests to remain on-device versus shipping to Private Cloud Compute, is there any way, undocumented or otherwise where organizations can begin to allow Apple Intelligence on if it's kept on-device only and not have the permission to offload to the cloud of an external AI provider such as ChatGPT?

In domain capture, could you include the option to manually send invitations to users before running the domain capture process for the entire domain? Currently, I see that the option exists, but only for marketing-related accounts.

Hello, Thanks for all these new amazing updates, With the changes regarding the management state not restored anymore from the backup on iOS 27, can we expect the following flow to work: Backup an iPhone, adding it to Apple Business and ADE, and restore the same backup during activation to trigger ADE enrollement while restoring the backup on the device ? Currently when users are migrating a device from unmanaged to managed we have them restore the backup on the buffer device, backup this buffer device and restore that backup on the original iPhone. It would be really helpful when customers are starting to manage existing devices. Thanks

For binary execution control on Endpoint Security — how granular are the code-signing matching rules, and what happens to a denied binary that's already running versus launched fresh? For the consolidated privacy consent prompt — does app.settings replace the privacy preferences we manage today, or coexist with them? Knowing whether it's a clean migration or a parallel system would help our planning. Thanks!

We found an issue where the DetailURL configured in a Declarative Device Management OS update declaration is displayed on the device’s Software Update screen, but tapping the link does not open the URL on some iOS versions. This issue appears to occur specifically on iOS 26.4. The same behavior could not be reproduced on iOS 17.x or iOS 18.x devices using the same MDM command configuration and the same URL. Environment: MDM command: Declarative OS Update command Command configuration: Target OS Version: 26.5 Build Version: 23F77 DetailURL: Appleデバイスのソフトウェアアップデート宣言型構成 - Apple サポート (日本) Device requirements: Supervised iOS device Managed by MDM Connected to Wi-Fi OS update available No Safari restriction or browser launch restriction configuration profile applied Reproduction Steps: Prepare a supervised iOS device managed by MDM. Send a Declarative Device Management OS update command with the following configuration: Target OS Version: 26.5 Build Version: 23F77 DetailURL: Appleデバイスのソフトウェアアップデート宣言型構成 - Apple サポート (日本) After the command is applied, open the device Settings app. Go to General > Software Update. Confirm that the URL configured in DetailURL is displayed on the Software Update screen. Tap the displayed URL. Expected Result: The displayed DetailURL should open in Safari or the default browser. Actual Result: On iOS 26.4 devices, the URL is displayed on the Software Update screen, but tapping the link does not open Safari or navigate to the URL. On other tested iOS versions, the URL opens correctly. Test Results: Reproduced / Not working: iPhone 15 Pro, iOS 26.4: reproduced 3/3 iPhone 17e, iOS 26.4: reproduced Not reproduced / Working: iPhone SE, iOS 17.7: Safari opens successfully iPhone 14 Pro Max, iOS 17.6.1: Safari opens successfully, 0/3 reproduced iPhone 12 Pro, iOS 18.7.7: Safari opens successfully iPhone 11 Pro Max, iOS 18.7.8: Safari opens successfully, 0/3 reproduced Additional Notes: We confirmed that Safari usage restrictions and browser launch-related configuration profiles were not applied on the affected test device. A sysdiagnose was collected from the affected iPhone 15 Pro running iOS 26.4. From the logs, it appears that the Settings app / Preferences attempts to open Safari, but the URL cannot be opened. The log suggests that an invalid or unexpected URL may be passed from the Settings app when the Software Update screen link is tapped. This issue does not appear to be specific to the MDM server implementation, because the same Declarative OS Update configuration works correctly on iOS 17.x and iOS 18.x devices. Based on current testing, this may be an iOS 26.4-specific issue with how the Software Update screen handles the DetailURL link.

Hello, I’m trying to clarify whether the new Age Range / Age Assurance Setup Assistant pane can be skipped on macOS when using a standard MDM Device Enrollment flow, not Automated Device Enrollment. Environment: Platform: macOS Tahoe 26.5.1 Enrollment type: MDM Device Enrollment, not ADE / DEP MDM: Microsoft Intune Profile deployment channel: Device profile Payload type: com.apple.SetupAssistant.managed Key used: SkipSetupItems Skip items tested: AgeAssurance AgeBasedSafetySettings The configuration profile installs successfully on the Mac as a device profile. I can confirm that the com.apple.SetupAssistant.managed payload is present on the device and includes the tested SkipSetupItems values. However, the Age Range / age-related Setup Assistant pane is still shown to the user. Example payload content: <dict> <key>PayloadType</key> <string>com.apple.SetupAssistant.managed</string> <key>PayloadIdentifier</key> <string>com.example.setupassistant.managed</string> <key>PayloadUUID</key> <string>REDACTED-UUID</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadDisplayName</key> <string>Managed Setup Assistant</string> <key>SkipSetupItems</key> <array> <string>AgeAssurance</string> <string>AgeBasedSafetySettings</string> </array> </dict> What I expected: When the com.apple.SetupAssistant.managed payload is installed as a device-level profile and includes the relevant age-related skip keys, the Age Range / Age Assurance pane should be skipped during Setup Assistant, or Apple documentation should state clearly that this pane can only be skipped in ADE. What actually happens: The profile installs, but the Age Range / age-related Setup Assistant pane still appears to the user on macOS 26.5.1. Documentation ambiguity: Apple’s Setup Assistant payload documentation says: The supported payload identifier is com.apple.SetupAssistant.managed Supported operating systems/channels include macOS device and macOS user Supported enrollment methods include User Enrollment, Device Enrollment, and Automated Device Enrollment SkipSetupItems is a list of Setup Assistant panes that can be skipped Apple’s macOS Tahoe 26 enterprise notes say: “The new Age Range setup pane is automatically skipped for devices using Automated Device Enrollment.” That wording clearly mentions ADE, but I have not found documentation that explicitly states whether the Age Range pane is intentionally unsupported for non-ADE macOS MDM enrollment, or whether there is a separate skip key required for macOS. Third-party MDM/tooling documentation appears to reference the following newer skip keys: AgeAssurance AgeBasedSafetySettings However, it is unclear whether those keys are supported on macOS, iOS/iPadOS only, ADE only, or all MDM enrollment methods. Questions: Are AgeAssurance and AgeBasedSafetySettings valid SkipSetupItems values on macOS 26.5.1? If yes, are they supported only during Automated Device Enrollment, or should they also work with standard MDM Device Enrollment? If these keys are iOS/iPadOS-only, what is the correct macOS skip item for the Age Range / age-related Setup Assistant pane? Is the Age Range pane intentionally only auto-skipped in ADE on macOS? Should Apple’s public Device Management / SkipKeys documentation be updated to list the correct key names, supported platforms, minimum OS versions, and enrollment requirements? This is important for Mac deployments where devices are enrolled into MDM but are not assigned through Apple Business Manager / Automated Device Enrollment. At the moment, it is difficult to determine whether the behavior is expected, unsupported, or a bug in macOS / Setup Assistant / MDM profile handling. Thanks.

We use managed Apple accounts for all users in our environment. One of these accounts is associated with an App Store app. Currently the developer console has a banner that says: "There's no credit/debit card on the Apple Online Store associated with your Apple ID to auto-renew your membership." This account, as well as my own admin account, are unable to add a payment method to our Apple account. We're missing the "Payments & Shipping" button on the Manage Account page. How can we renew our developer subscription to keep our app on the App Store? It's critical for us that the account that owns this app is managed. TIA

Hi Team, Request your help with the below queries. Regarding target-local-date-time status item https://github.com/apple/device-management/blob/release/declarative/status/softwareupdate.pending-version.yaml#L59. The value reported is not the same sent to the device, looks like it is being converted into UTC and sent. Please confirm if this value sent here will be in UTC always, the github link mentions it will be local date time value and does not mention that i will be in UTC. In the softwareupdate.enforcement.specific schema it is clearly mentioned we should not use any timezone. Please find below a sample payload sent to the device and the status report from the device. Device time zone is IST ("Asia/Kolkata") Target local date time is property for iOS is not matching the schema. The property is "softwareupdate.target-local-date-time" instead of "target-local-date-time". Payload: {{"Identifier":"v1|CONFIGURATION|OS_UPDATE|26.5|8ba807e8-6a75-4c50-a379-b7363c4c82fc","ServerToken":"vH|86iQ8CT5QdgErs5ZNQXpUAX4YntAr5kMxkeRNHcXDKg=","Type":"com.apple.configuration.softwareupdate.enforcement.specific","Payload":{"TargetOSVersion":"26.5","TargetLocalDateTime":"2026-06-30T10:00:00"}} Status Report from device: "StatusItems" : { "softwareupdate" : { "install-state" : "downloading", "pending-version" : { "build-version" : "23F77", "os-version" : "26.5", "softwareupdate.target-local-date-time" : "2026-06-30 04:30:00 +0000" } } }, "Errors" : [ ] } For MacOS TimeZone value is not included in DeviceInformation command, even when the request Queries contains <string>TimeZone</string>. Please find below part of the request sent to the device. The device was on OS version 26.0, which is supported as per documentation. <plist Version="1.0"> <dict> <key>CommandUUID</key> <string>4a79dd95-e4bb-450b-96cc-82f61ae4c89e</string> <key>Command</key> <dict> <key>RequestType</key> <string>DeviceInformation</string> <key>Queries</key> <array> <string>DeviceName</string> <string>OSVersion</string> ... <string>TimeZone</string> .. </array> </dict> </dict> </plist>

Requesting com.apple.managed-keychain Entitlement for Enterprise S/MIME Cert Visibility Platform: iOS | Distribution: MDM (Microsoft Intune) | Not App Store We are developing an internal enterprise iOS app (EMS Assist, com.company.supportcompanion) for Company deployed exclusively to Intune-managed devices. Our requirement: Read S/MIME certificates pushed to the device via Intune SCEP profiles to: Confirm cert presence in the MDM-managed keychain Read expiry date (kSecAttrNotValidAfter) to warn users before expiry Distinguish between missing, expired, and valid cert states What we have tried: Standard SecItemCopyMatching query — returns only app-installed certs, not MDM-pushed certs Graph API (deviceConfigurationStates) — confirms profile compliance but does not expose actual cert expiry or keychain presence Our understanding: com.apple.managed-keychain is required for an app to access MDM-managed keychain items on supervised devices, combined with a matching keychain-access-groups entitlement and the cert profile configured as "always available" in MDM. Questions: Is com.apple.managed-keychain the correct entitlement for this use case? Does it apply to SCEP/PKCS-issued certificates specifically, or only other MDM keychain items? Has anyone successfully accessed Intune-pushed S/MIME certs from an iOS app using this entitlement? Any guidance from the community or Apple engineers would be appreciated.

We have an Apple Watch app and companion iPhone app that we distribute via Enterprise Distribution using OTA manual installation. (We are on an Apple Enterprise Developer Team) With WatchOS 26.4 and earlier, the app would install fine on both the phone and the watch. However, after updating to WatchOS 26.5 (and iOS 26.5), the app will not install on the watch. It will install on the phone and we can trust the developer/run the phone app. However, when we go into the Apple Watch app on the phone and choose "Install" for the app, it tries to install for a minute and then returns an error "The app could not be installed at this time". We have tried the following remedies: Restarting both watch and phone, and reinstalling the app on phone Factory resetting both the watch and the phone, then reinstalling app Generating a new Distribution Certificate and new manual profiles for the app in Apple Developer Looking through console logs from both the phone and the watch Confirmed that we can install other (non-Enterprise) apps on the watch Try installing a basic example app (the default Xcode watch + companion app project) There does not seem to be anything obviously amiss about the app or its packaging, it seems to be something to do with the update to WatchOS 26.5. The closest related errors we have found seems to be these: appconduitd 0x16d43f000 -[ACXInstallQueue _onQueue_deQueueNextOperation]_block_invoke_3: Failed to install app .EnterpriseInstallTest.watchkitapp (p = Y, ui = Y) : Error Domain=ACXErrorDomain Code=8 "Failed to create socket" UserInfo={NSUnderlyingError=0xcf9138e10 {Error Domain=com.apple.identityservices.error Code=20 "Socket open timed out" UserInfo={NSLocalizedDescription=Socket open timed out}}, FunctionName=-[ACXServerInstallOperation _onQueue_prepForTransferAndInstall]_block_invoke, SourceFileLine=370, NSLocalizedDescription=Failed to create socket} appconduitd 0x16d89f000 -[ACXCompanionSyncConnection _installQueuedOrCompletedForWatchBundleID:companionAppBundleID:withName:userInitiated:withError:withCompletion:]_block_invoke: Failed to install app .EnterpriseInstallTest.watchkitapp : Error Domain=ACXErrorDomain Code=8 "Failed to create socket" UserInfo={NSUnderlyingError=0xcf9138e10 {Error Domain=com.apple.identityservices.error Code=20 "Socket open timed out" UserInfo={NSLocalizedDescription=Socket open timed out}}, FunctionName=-[ACXServerInstallOperation _onQueue_prepForTransferAndInstall]_block_invoke, SourceFileLine=370, NSLocalizedDescription=Failed to create socket}

Hello I am looking at taking advantage of managing some features via DDM in an app. I noticed in the ServicesConfigurationFiles link (https://developer.apple.com/documentation/devicemanagement/servicesconfigurationfiles) it says You can create an executable that uses service configuration files by calling the mcf_service_path_for_service_type method in the libmanagedconfigurationfiles.dylib system library. You pass in an identifier for your service type and the method returns the file system path for the directory that contains the corresponding service configuration files. Use those files to override the standard or default configuration the executable would otherwise use. See libmanagedconfigurationfiles.h in the macOS SDK for more detail. I can't find any more references or information on mcf_service_path_for_service_type, libmanagedconfigurationfiles.dylib or libmanagedconfigurationfiles.h anywhere. Is there any information somewhere about this? Or how to use it? Or a POC small example?