Hi, I developed a Platform Single Sign-On extension and a corresponding extension for my IdP, which is Keycloak based. The code for both projects are here: https://github.com/unioslo/keycloak-psso-extension and https://github.com/unioslo/weblogin-mac-sso-extension I realized that, when using the Secure Enclave as the AuthenticationMethod, and according to Apple's documentation, the Extension doesn’t obtain fresh ID Tokens when they expire if the refresh token is still valid. When using password as the Authentication Method, it fetches new ID tokens when they expire, without prompting the user for credentials, by using the refresh token. My suggestion is that the same behavior should be implemented for Secure Enclave keys. The thing here is that usually, on OIDC flows, the ID/Access tokens are short-lived. It would make sense for the extension to provide fresh ID tokens. It doesn’t seem to make sense for me that, when using passwords, the extension would fetch these tokens, and not when having the Secure Enclave key. By not doing this, Apple almost forces the developer of an extension to fetch new ID tokens themselves, which doens’t make sense when it clearly provides fresh tokens when using passwords. It almost forces the developers to either implement that logic themselves, or to issue longer tokens, which is not so nice. How so you deal with this? Do you simply use the refresh token as an authentication token, or do you do some sort of manual refresh on the extension?

Hi, We developed a Platform SSO extension for our IdP, Keycloak. It would be great to get some feedback on it: https://francisaugusto.com/2025/Platform_single_sign_on_diy/

We have been trying to figure out how to block Apple Private Relay in our enterprise so we can monitor and filter our employees traffic. We are able to block the Private Relay via this process: We used this article from Fortinet to achieve this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-bypassing/ta-p/228629 This also appears to block the users ability to utilize Apple iCloud Drive Backups. They would like to allow that still. Is there a way to block iCloud Private Relay while still allowing iCloud Drive Backups to work? I am not finding a document listing the URL requirements for iCloud Drive Backups. We currently have this solution in place: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-allow-iCloud-private-relay/ta-p/383703 Basically this solution is allowing all Apple URL/IPs to go through the firewall and not be filtered. They would like to scan the traffic through. When scanning is enabled the firewall blocks the iCloud Private Relay traffic as it is blocked as being a proxy. Any guidance is greatly appreciated.

The profile expiration date is approaching, and no amount of inquiries will solve it. Create a new profile Download a new profile from Xcode Press archive, press Distribute App, press Enterprise, and distribute Invalid expiration date in profile of summary of review app.ipa content I've tried everything that comes out by Googleing profiles, such as regenerating profiles, erasing caches, updating Xcode, updating macOS, deleting existing profile information, etc. Expiration date different from the expiration date of the profile created in that menu is displayed. The expiration date of the profile I created is December 8, 2026, and the previous certificate is January 22, 2026. However, the profile information of the generated ipa is February 12, 2026. So I can't distribute this app because I'm scared, and the expiration date is coming up. Users should have a period of time to update. Get me a novice developer who's choking up.

I have a question regarding MDM functionality for iOS/iPadOS. Background: According to Apple's support page(https://support.apple.com/en-us/125073), since iOS 26.1, "Previous Wi-Fi configurations will be replaced when a new profile is installed." We have observed that because of this change, when we apply a Wi-Fi configuration profile to an iPad via MDM, the manually configured network settings on the device (specifically, "Configure IPv4" and "Configure DNS") are reset to "Automatic". This erases the manually entered IP address, subnet mask, router, and DNS server addresses. Goal: We want to apply a Wi-Fi configuration profile from our MDM server to connect the device to a specific SSID, while preserving the manual IP and DNS settings that have been configured on the device. Question: Is there a way to prevent the IPv4 and DNS settings from being switched from "Manual" to "Automatic" when applying the configuration profile? For example, is there a specific key-value pair we can add to the profile to either preserve the existing manual settings, or to explicitly define manual/static IP settings within the profile itself for iOS/iPadOS? Reference: Sample Configuration Profile Below is a simplified version of the Wi-Fi configuration profile we are currently using. This profile does not contain any keys for IP address configuration. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadType</key> <string>com.apple.wifi.managed</string> <key>PayloadIdentifier</key> <string>com.apple.wifi.managed.13E2E6B3-D4B9-4E23-888A-524B3ED40C38</string> <key>PayloadUUID</key> <string>13E2E6B3-D4B9-4E23-888A-524B3ED40C38</string> <key>PayloadVersion</key> <integer>1</integer> <key>SSID_STR</key> <string>SSID</string> <key>EncryptionType</key> <string>WPA</string> <key>Password</key> <string>Password</string> </dict> </array> <key>PayloadType</key> <string>Configuration</string> </dict> </plist>

Hello Apple Developer Community, I'm experiencing an invalid_client error (HTTP 400) when attempting to authenticate with the Apple School Manager API using OAuth2 with JWT bearer assertion (RFC 7523). Despite verifying all configuration values and following Apple's documentation, I continue to receive this error. Error Details Error: invalid_client HTTP Status: 400 Bad Request Endpoint: https://appleid.apple.com/auth/oauth2/v2/token Response: {"error": "invalid_client"} My Configuration All values have been verified to match Apple School Manager exactly: Organization ID: 55155430 Key ID: 8136a1f6-c995-4010-b964-bc8278c107ef Client ID (Service ID): SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 Private Key: Loads correctly, signs JWT properly (ES256) JWT Configuration I'm generating a JWT with the following structure: Header: { "alg": "ES256", "kid": "8136a1f6-c995-4010-b964-bc8278c107ef", "typ": "JWT" } Payload: { "iss": "55155430", "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "aud": "https://appleid.apple.com", "iat": [timestamp], "exp": [timestamp + 30 days] } Token Request Method: POST Content-Type: application/x-www-form-urlencoded Parameters: grant_type: client_credentials client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion: [JWT token] scope: https://api.apple.com/auth/schoolmanager What I've Verified ✅ All configuration values match Apple School Manager exactly ✅ Private key file exists and loads correctly ✅ JWT is generated with correct structure (ES256, proper claims) ✅ Key ID in JWT header matches the Key ID from Apple School Manager ✅ Request format matches OAuth2 RFC 7523 specification ✅ Content-Type header is application/x-www-form-urlencoded ✅ Tried both Client ID and Organization ID as sub claim (both fail with same error) ✅ DNS resolution and API connectivity are working ✅ API account appears active in Apple School Manager interface What I've Tried Using Client ID as sub: Tried using SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 as the sub claim Using Organization ID as sub: Tried using 55155430 as the sub claim (fallback) With and without scope: Tried both including and excluding the scope parameter Different JWT expiration: Tried various expiration times (30 days, 180 days) Verified Service ID format: Confirmed the Client ID follows the SCHOOLAPI.xxxxx-xxxxx-xxxxx format Both attempts (Client ID and Organization ID as sub) return the same invalid_client error. Previous Support Interaction I've contacted Apple Developer Support (Case #102783504559). They confirmed: The technical implementation is correct The issue is an account access/permission problem My Apple Account email is not associated with any memberships The Account Holder must add me to the Enterprise team membership However, I'm posting here to see if anyone in the community has: Experienced similar issues and found a solution Additional technical insights about the invalid_client error Suggestions for what else to verify or try Questions Is there a specific format requirement for the sub claim? Should it be the Client ID (Service ID) or Organization ID? I've tried both. Are there any additional claims required in the JWT beyond iss, sub, aud, iat, exp? Could there be a backend issue with the API account even though it appears active in Apple School Manager? Has anyone successfully resolved an invalid_client error that wasn't related to account access? Is there a delay after creating an API account before it becomes fully active for authentication? Technical Details Language: Python (Flask) JWT Library: PyJWT with cryptography library Algorithm: ES256 (ECDSA P-256) OAuth2 Flow: Client Credentials Grant with JWT Bearer Assertion (RFC 7523) Error Log I've generated a detailed error log showing the exact request/response. The key points: HTTP 400 Bad Request Response: {"error":"invalid_client"} Same error occurs with both Client ID and Organization ID as sub Any Help Appreciated If anyone has encountered this issue or has insights into what might be causing it, I'd greatly appreciate your help. I'm happy to provide additional details or try any suggestions. Thank you! Case Number: 102783504559 API Account: Created in Apple School Manager Status: API account appears active, but authentication fails

We are using an app created with the Apple Developer Enterprise Program within our company. Every year, we recreate and distribute the app in conjunction with the renewal of the provisioning profile. Currently, there are cases where an app that expired in September 2025 is still running, which is causing problems. What could be the cause of this? The app operates on a VPN, but Apple domains are accessible.

Hello folks, I stumbled upon a weird CNContact serialization problem. I use the Contacts framework to update the AIM field, which is one of the instantMessageAddresses within a single Contact. Here is the simplified code I used: func updateAIMFieldOn(contact: CNContact, aimValue: String) { do { guard let mutableContact = contact.mutableCopy() as? CNMutableContact else { logger.error("[CM] Couldn't update contact with aim \(aimValue)") return } var updatedAddresses = mutableContact.instantMessageAddresses updatedAddresses.append(CNLabeledValue(label: "", value: CNInstantMessageAddress(username: aimValue, service: CNInstantMessageServiceAIM))) mutableContact.instantMessageAddresses = updatedAddresses let saveRequest = CNSaveRequest() saveRequest.update(mutableContact) try CNContactStore().execute(saveRequest) logger.verbose("Contact's AIM updated successfully!") } catch { logger.error("Couldn't update contact") } } And after serializing the contact to data, and then deserializing, the contact got two AIM fields with the same value: X-AIM;type=pref:some:part:of_my_aim_value IMPP;X-SERVICE-TYPE=AIM;type=pref:some:part:of_my_aim_value Why does it work in this manner? Is it possible that ":" char causes that? Format of my aim username is {some:part:of_my_aim_value}. I didn't find any information in the docs. Thanks!

Hey everyone, Is it possible and how to get Managed Apple ID (email) programmatically for user signed in to ipad through shared IPad feature ? It would be good to have MDM independent solution, I mean API call to MDM service is not acceptable for us. Maybe API call to ASM or ABM, or get that somehow on iOS device end... any advice ? Thanks in advance, Dima

Microsoft are retiring the “Azure AD Graph API”. We allow the use of Apple email apps in our M365 tenant via the “Apple Internet Accounts” Entra ID Enterprise Application, however this is using the “User.Read” permission from this retiring “Azure AD Graph API”. My concern is that Apple email app’s will stop working in our tenant when Microsoft retire the “Azure AD Graph API” and this permission is removed, as this is an Apple managed Enterprise Application, we have no method of changing the permissions ourselves. I have not been able to find any information on how the “Apple Internet Accounts” Entra ID Enterprise Application can be updated to use the required, newer “Microsoft Graph API” “User.Read” permission. It is not possible for us to change the permissions on the “Apple Internet Accounts” Entra ID Enterprise Application in our tenant, my assumption is that Apple would need to deploy a newer version of Email app that uses the newer “Microsoft Graph API” “User.Read” permission, and we would then need to consent the use of this new permission in our tenant. I would have thought Apple would have deploy this by now, but we have not seen any consent requests. Does anyone have any information about how Apple are handling this Microsoft change and how we can pre-emptively update the “Apple Internet Accounts” Entra ID Enterprise Application to ensure that Apple email client continue to work in our tenant? Many thanks.

My company signed the application with enterprise certificate, the Provisioning Profile expired on March 20, 2025. Some iPhones didn't update the application before the expiration. We have update the Provisioning Profile and repackaged application. However, these iPhones still can't use the application after reinstalling the new ipa. After opening the application, the screen is blank and then flashes back without any error prompt. Restarting iPhone didn't help.

Hello, We have an internal enterprise app. After the provisioning profile (certificate) expired, some employees' iPhones still retained the old certificate when updating the app, causing the app to fail to open. We’ve tried restarting and reinstalling the app, but the issue persists. Having each employee manually reset network or device settings would be too operationally costly. Since this involves a large number of devices, we cannot use Apple Configurator to remove and reinstall certificates one by one. Therefore, we’d like to ask if there is a more efficient, batch-oriented solution to quickly resolve the certificate residue issue. We’d appreciate any suggestions for large-scale deployment methods. Thank you very much!

Hello all, I’m hoping someone here has gone through the process of integrating an ERP system with the Apple GSX API and can offer some guidance. We’re currently working with an AASP who asked us to integrate our ERP with the Apple GSX API. It’s the first time for both of us, and we’re a bit stuck on how to properly get started. The AASP contacted their regional manager, who confirmed that an NDA and an Apple Developer Account would be necessary. However, he hasn’t handled this type of integration before and is still seeking internal guidance. That was a few months ago, and due to his workload, the AASP hasn’t heard back from him yet. Meanwhile, we’ve already enrolled in the Apple Developer Program and opened a support case, but we’ve been redirected to the forums since our case goes beyond standard support. So now we’re trying to understand: What steps need to be completed by the AASP? What are the steps we, as the ERP provider, need to take in order to receive API access? Are there any specific documents, applications, or technical requirements we should prepare in advance? We’d really appreciate any guidance or insight from others who have gone through this process — or even partial answers to help us move forward. Thanks in advance for your time!

Hello, I've noticed some unexpected behavior when updating a user's FileVault password. The set up: All actions are performed in virtualized macOS 14 and 15.5 guests on a 15.5 Apple Silicon host. FileVault is enabled. sjsp is a standard user with a Secure Token. The Mac is bound to AD, and the domain is reachable. Reproduction: systemctl -secureTokenStatus sjsp shows it's ENABLED. fdesetup remove -user sjsp fdesetup add -usertoadd sjsp systemctl -secureTokenStatus sjsp shows it's DISABLED. Surprisingly, sjsp is still able to unlock FileVault. Looking at unified logs for opendirectoryd and fdesetup, I see that a password change is being attempted in response to fdesetup add, which is unexpected. default 13:34:41.320883+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) info 13:34:41.321317+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 info 13:34:41.321331+0100 opendirectoryd <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is not a SecureToken user: no unlock record default 13:34:41.321341+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): user <private> SecureToken, only new password provided, credential <private> default 13:34:41.321454+0100 opendirectoryd Changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) with no existing unlock record info 13:34:41.321857+0100 opendirectoryd No unlock record exists for E5CC46D7-0C1F-4009-8421-9AA8217CB784 default 13:34:41.321873+0100 opendirectoryd Record <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784) is eligible for SecureToken default 13:34:41.322637+0100 fdesetup DMAPFS cryptoUserForMacOSUserForVolume DMErr=-69594 retErr=-69594 outAPFSCryptoUser=(null) default 13:34:41.322699+0100 opendirectoryd While changing password for <private> (E5CC46D7-0C1F-4009-8421-9AA8217CB784): Not adding SecureToken; other unlock records exist, but no existing unlock record provided If I disconnect the network and follow the reproduction steps then the Secure Token is retained. Reconnecting and waiting a while doesn't cause the Secure Token to be lost. There are no log entries about attempting to change the password. Any help or explanation would be appreciated, thanks in advance.

I am a developer distributing an enterprise app. Recently, some users have intermittently encountered an error message on iOS 18.5 stating: "Unable to install this app because its integrity could not be verified." While the issue could not be reproduced on iPhone 15 / iOS 18.5, we have received reports that it does occur on the following devices: iPhone 14 / iOS 18.5, iPhone 14 Pro / iOS 18.5, iPhone 14 Plus / iOS 18.5, iPhone 16 Pro Max / iOS 18.5, Are there any known issues or recommended solutions regarding this behavior? Thank you in advance for your assistance.

We are trying the renewal the apple Enterprise program. It asks set of questions after that it shows the below message "Thank you for your request to renew your membership in the Apple Developer Enterprise Program. We’ll review your submission and get back to you shortly to let you know if we can process the renewal or if another program better serves your organization’s needs." We have submitted for review for over two months now. During these two months, we have contacted the official customer service multiple times, only to be told to wait for news. Now, with only a few days left, The status hasn't changed, neither approved nor rejected，what should we do？This account is very important to our company. Thank you

Hi everyone, I’m working as an IT engineer in the cruise industry and need to troubleshoot passenger complaints about Apple’s new RCS messaging feature (introduced with iOS 18). Could someone help confirm which domains and ports iPhones use when they send RCS messages? My firewall team wants specifics: domains (or subdomains) that need whitelisting and the ports involved. Any official or community-sourced info would be super helpful—thanks in advance!

Hi team, We need to identify the domains used by macOS Software Update so they can be bypassed by our NETransparentProxy. The Apple support article below lists Software Update and several other Apple service domains. At the moment we’re unsure whether we should only bypass the Software Update and Beta Software domains, or whether we also need to bypass domains used for certificate validation, device management (Apple Business Manager / Apple School Manager / Apple Business Essentials), network provider updates, Apple Diagnostics, etc. We also need the specific IP ranges used exclusively by Software Update. The document shows Apple’s entire IP range; for IPv4 you can allow outbound connections to 17.0.0.0/8. https://support.apple.com/en-in/101555

The question: Is there any chance that Apple will integrate Intune SDK into Apple apps such as Mail or Calendar, or create Siri-compatible Intune SDK-integrated versions of Mail and Calendar? The reason for the question: My team has been asked by VIPs in our company (e.g. execs and board members) if Siri can be used with Outlook, and the only way is through Shortcuts or by adding the Outlook account to Mail. Both of these options would violate our security policies for these reasons: Since our company policy and federal regulations don't permit us to allow access to company resources on non-MAM-protected apps, we can't allow our users to login to the Mail app and make full use of Siri, due to the lack of MAM controls for Mail and Calendar. We only allow users to transfer data between policy-managed apps which have integrated the Intune SDK allowing us to enforce DLP and other security measures. The only way to enable Shortcuts would be to disable these security measures.