Hey everyone, Is it possible and how to get Managed Apple ID (email) programmatically for user signed in to ipad through shared IPad feature ? It would be good to have MDM independent solution, I mean API call to MDM service is not acceptable for us. Maybe API call to ASM or ABM, or get that somehow on iOS device end... any advice ? Thanks in advance, Dima

Microsoft are retiring the “Azure AD Graph API”. We allow the use of Apple email apps in our M365 tenant via the “Apple Internet Accounts” Entra ID Enterprise Application, however this is using the “User.Read” permission from this retiring “Azure AD Graph API”. My concern is that Apple email app’s will stop working in our tenant when Microsoft retire the “Azure AD Graph API” and this permission is removed, as this is an Apple managed Enterprise Application, we have no method of changing the permissions ourselves. I have not been able to find any information on how the “Apple Internet Accounts” Entra ID Enterprise Application can be updated to use the required, newer “Microsoft Graph API” “User.Read” permission. It is not possible for us to change the permissions on the “Apple Internet Accounts” Entra ID Enterprise Application in our tenant, my assumption is that Apple would need to deploy a newer version of Email app that uses the newer “Microsoft Graph API” “User.Read” permission, and we would then need to consent the use of this new permission in our tenant. I would have thought Apple would have deploy this by now, but we have not seen any consent requests. Does anyone have any information about how Apple are handling this Microsoft change and how we can pre-emptively update the “Apple Internet Accounts” Entra ID Enterprise Application to ensure that Apple email client continue to work in our tenant? Many thanks.

Recently, we have encountered some users who have been unable to open the enterprise signature application after upgrading to version 18.3.2, without an IPS file. Through system logs, we found that signature verification has occurred SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_pub_crypt failed, ccerr=-7" UserInfo={numberOfErrorsDeep=0, NSDescription=rsa_pub_crypt failed, ccerr=-7} Waiting for the information, I will provide the obtained system logs below. The application package name that crashed is com. mobile. moa aa.txt new

10:17:34.335397+0900 Process SpringBoard Bootstrapping failed for <FBApplicationProcess: 0x4d8eca700; app<com.a.b.c>:> with error: <NSError: 0x300a3d1d0; domain: RBSRequestErrorDomain; code: 5; "Launch failed."> { NSUnderlyingError = <NSError: 0x300a54090; domain: NSPOSIXErrorDomain; code: 85> { NSLocalizedDescription = Launchd job spawn failed; }; }

Hello, I've noticed some unexpected behavior when updating a user's FileVault password. The set up: All actions are performed in virtualized macOS 14 and 15.5 guests on a 15.5 Apple Silicon host. FileVault is enabled. sjsp is a standard user with a Secure Token. The Mac is bound to AD, and the domain is reachable. Reproduction: systemctl -secureTokenStatus sjsp shows it's ENABLED. fdesetup remove -user sjsp fdesetup add -usertoadd sjsp systemctl -secureTokenStatus sjsp shows it's DISABLED. Surprisingly, sjsp is still able to unlock FileVault. Looking at unified logs for opendirectoryd and fdesetup, I see that a password change is being attempted in response to fdesetup add, which is unexpected. default 13:34:41.320883+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) info 13:34:41.321317+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 info 13:34:41.321331+0100 opendirectoryd <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is not a SecureToken user: no unlock record default 13:34:41.321341+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): user <private> SecureToken, only new password provided, credential <private> default 13:34:41.321454+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) with no existing unlock record info 13:34:41.321857+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 default 13:34:41.321873+0100 opendirectoryd Record <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is eligible for SecureToken default 13:34:41.322637+0100 fdesetup DMAPFS cryptoUserForMacOSUserForVolume DMErr=-69594 retErr=-69594 outAPFSCryptoUser=(null) default 13:34:41.322699+0100 opendirectoryd While changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): Not adding SecureToken; other unlock records exist, but no existing unlock record provided If I disconnect the network and follow the reproduction steps then the Secure Token is retained. Reconnecting and waiting a while doesn't cause the Secure Token to be lost. There are no log entries about attempting to change the password. Any help or explanation would be appreciated, thanks in advance.

Hello everyone, I recently changed the phone number associated with my Apple ID (about 4 days ago), but I’m still receiving the two-factor authentication verification codes on my old number instead of the new one. Has anyone experienced this? Is there a delay on Apple’s side, or is there something else I need to do to complete the update?

We are trying the renewal the apple Enterprise program. It asks set of questions after that it shows the below message "Thank you for your request to renew your membership in the Apple Developer Enterprise Program. We’ll review your submission and get back to you shortly to let you know if we can process the renewal or if another program better serves your organization’s needs." We have submitted for review for over two months now. During these two months, we have contacted the official customer service multiple times, only to be told to wait for news. Now, with only a few days left, The status hasn't changed, neither approved nor rejected，what should we do？This account is very important to our company. Thank you

Hi, I was looking for advice on the suitable mac to get for a web app development project for university . Would an Apple MacBook Air 2020 M1 8GB RAM 256GB SSD 13.3" macOS Big Sur, be sufficient ?? Or would I need a newer version !

The question: Is there any chance that Apple will integrate Intune SDK into Apple apps such as Mail or Calendar, or create Siri-compatible Intune SDK-integrated versions of Mail and Calendar? The reason for the question: My team has been asked by VIPs in our company (e.g. execs and board members) if Siri can be used with Outlook, and the only way is through Shortcuts or by adding the Outlook account to Mail. Both of these options would violate our security policies for these reasons: Since our company policy and federal regulations don't permit us to allow access to company resources on non-MAM-protected apps, we can't allow our users to login to the Mail app and make full use of Siri, due to the lack of MAM controls for Mail and Calendar. We only allow users to transfer data between policy-managed apps which have integrated the Intune SDK allowing us to enforce DLP and other security measures. The only way to enable Shortcuts would be to disable these security measures.

Hi, We're having problems starting an Ad Hoc ipa on an iPad with iOS 12.7.7 and 12.7.8. The iPad's UUID has been added to the provisioning profile. The iPad that we are trying to start the app on is online, so Apple's certificate validation server should be reachable. We don't have any problems with iOS versions above iOS 12. The .ipa was built using the latest version of Xcode (26.2, build 17C52). Here is the anonymised and reduced console log (only the app launch / bootstrap part): default 07:29:35.683108+0100 SpringBoard Icon touch began: <private> default 07:29:35.752640+0100 SpringBoard Icon tapped: <private> default 07:29:35.768538+0100 trustd cert[0]: SubjectCommonName =(leaf)[]> 0 default 07:29:35.791500+0100 SpringBoard Trust evaluate failure: [leaf IssuerCommonName LeafMarkerOid SubjectCommonName] default 07:29:35.793654+0100 trustd cert[0]: IssuerCommonName =(path)[]> 0 default 07:29:36.043497+0100 assertiond Submitting new job for "<APP_BUNDLE_ID>" on behalf of SpringBoard (pid: 48) default 07:29:36.044393+0100 SpringBoard Bootstrapping <APP_BUNDLE_ID> with intent foreground-interactive error 07:29:36.045124+0100 SpringBoard [<APP_BUNDLE_ID>] Bootstrap failed with error: domain: BKSProcessErrorDomain, code: 1 (bootstrap-failed), reason: "Failed to start job" error 07:29:36.045214+0100 SpringBoard Bootstrapping failed for <APP_BUNDLE_ID> (pid: -1): Error Domain=BKSProcessErrorDomain Code=1 "Unable to bootstrap process with bundleID <APP_BUNDLE_ID>" NSLocalizedFailureReason=Failed to start job NSUnderlyingError=NSPOSIXErrorDomain Code=3 "No such process" BKLaunchdOperation=launch_get_running_pid_4SB BKLaunchdJobLabel=<LAUNCHD_JOB_LABEL> BKSProcessJobLabel=<LAUNCHD_JOB_LABEL> default 07:29:36.046078+0100 assertiond Submitted job with label: <LAUNCHD_JOB_LABEL> default 07:29:36.046442+0100 assertiond Unable to get pid for '<LAUNCHD_JOB_LABEL>': No such process (3) error 07:29:36.046542+0100 assertiond Failed to start job: NSPOSIXErrorDomain Code=3 "No such process" default 07:29:36.046607+0100 assertiond Deleted job with label: <LAUNCHD_JOB_LABEL> default 07:29:36.081068+0100 SpringBoard Application process state changed for <APP_BUNDLE_ID>: pid: -1; taskState: Not Running

Hey folks, I work as a software development consultant. We develop enterprise applications for our clients, and the apps we create are usually for internal use. We've ran into a bit of a conundrum with a client who doesn't have their own Apple Enterprise account, and neither do we as we don't meet the criteria, but they're wanting to distribute an application we've built for them via their own MDM software. We are not entirely sure how to provide them with a distribution ready .ipa file that isn't AdHoc and will be recognized as a secure app. We've looked into generating a Developer ID provisioning profile and accompanying cert, however we're running into a problem where the platform of our app (iOS) doesn't match the platform required by the Developer ID profile (macOS). I've also come across the idea of resigning an .ipa, but again, the client doesn't have a Apple Developer account and expects the working .ipa to be included in the service rendered. Any suggestions or advice or documentation around the subject would be greatly appreciated. Thanks, Ale

Guideline 3.1.1 - Business - Payments - In-App Purchase The app includes an account registration feature for businesses and organizations, which is considered access to external mechanisms for purchases or subscriptions to be used in the app. Next Steps Remove the account registration features for business and organizations. Our application currently allows users to register and create multiple accounts using a phone number. All users can freely create an account. The app is designed to help users manage their own products, orders, and sales invoices. It is purely a sales management tool. We do not provide any external purchase links, external payment methods, or subscription mechanisms outside of Apple’s In-App Purchase system. However, our app was rejected under Guideline 3.1.1 with the explanation that the app includes “account registration for businesses or organizations,” which is considered access to external purchase mechanisms. We are confused about this interpretation. From our understanding: Any individual user can register. The registration process is only for authentication and data management. The app must include an account registration feature in order to function properly. There is no external purchasing mechanism involved in the registration process. Could someone please clarify: Why would allowing users (including small business owners) to register accounts be considered “access to external purchase mechanisms”? What specifically qualifies as “account registration for businesses or organizations” under Guideline 3.1.1? What changes would be required to comply with the guideline while still keeping mandatory account registration? We would greatly appreciate clarification so we can properly address the issue and ensure full compliance with App Store policies. Thank you.

Hello, I am Sergio Sánchez, administrator of NumbuX. We are developing our own MDM. We are already granted as a MDM Vendor. We need to issue the APNs certificate for our MDM for the first time in the Push Certificate portal (identity.apple.com). We are having the error: “invalid signing request” when we upload the signed CSR to identity.apple.com. That is because we do not have the External UUID. Could you please let us know what is our External UUID? Without that, we cannot upload it successfully. We have already compared different signed CSR from other MDM Vendors and all have included the External UUID in the CSR. Please, do not send links, there is not way for us to know our External UUID because it is the first time that we try to issue this APNs. After the first time, we do not need your assitance. Please, let us know our External UUID. Thank you. Kind regards.

We have an office application used internally within our enterprise. The Provisioning Profiles (PP) for the app were about to expire, so we updated the PP and released a new version. However, we've encountered an issue where some users did not update their phones in time. After the app expired, they found it unusable and downloaded the new version, but the newly downloaded app also crashes on launch. Restarting the phone does not resolve the issue, and this primarily occurs on iOS 18.3.2. What could be the cause of this problem, and how should we address it?

We are encountering a critical issue where an enterprise-signed iOS app crashes immediately after installation on devices running iOS 18.3.2 (22D82). The same app runs fine on other iOS versions (including iOS 18.3.1 and earlier). Issue Summary: After upgrading to iOS 18.3.2, users are unable to launch our enterprise app (Bundle ID: com.kt.MobileDRM). The app installs successfully but crashes immediately upon launch. This issue occurs only on iOS 18.3.2, not on earlier versions or other iPadOS/iOS devices. System Log Snippet: SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_pub_crypt failed, ccerr=-7" UserInfo={numberOfErrorsDeep=0, NSDescription=rsa_pub_crypt failed, ccerr=-7} Additional Info: The app is signed with a valid enterprise certificate. No changes were made to the app binary or signing configuration before this issue started. We are not using an IPS file. A similar app (different bundle ID) shows the same behavior on iPadOS 18.3.2 but runs fine on other versions. Questions: Has there been a change in iOS 18.3.2 that affects enterprise certificate validation? Does ccerr=-7 indicate a cryptographic change or stricter signature verification? Are there updated requirements or provisioning profile constraints we should be aware of for iOS 18.3.2? We would greatly appreciate any insights or official guidance regarding this issue. Thank you!

Hi, I run a midsize business. Apple recommends for company owned devices and for other reasons to use Apple Business managed Apple IDs for the employees. After that, you have to use a MDM System for e.g. deploying apps and licenses. Testflight is an app that can be deployed too. But....Testflight can not more than to say "Hello" on a managed device. The use of Testflight and to test our developed apps is not possible with a managed ID. Can anyone explain to me this thinking or what is recommended than. Setting up a private Apple ID for that purpose...which on the other hand, Apple do not want or does not recommend.