We have been trying to figure out how to block Apple Private Relay in our enterprise so we can monitor and filter our employees traffic. We are able to block the Private Relay via this process: We used this article from Fortinet to achieve this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-iCloud-Private-Relay-from-bypassing/ta-p/228629 This also appears to block the users ability to utilize Apple iCloud Drive Backups. They would like to allow that still. Is there a way to block iCloud Private Relay while still allowing iCloud Drive Backups to work? I am not finding a document listing the URL requirements for iCloud Drive Backups. We currently have this solution in place: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-allow-iCloud-private-relay/ta-p/383703 Basically this solution is allowing all Apple URL/IPs to go through the firewall and not be filtered. They would like to scan the traffic through. When scanning is enabled the firewall blocks the iCloud Private Relay traffic as it is blocked as being a proxy. Any guidance is greatly appreciated.

Hello Apple Developer Community, I'm experiencing an invalid_client error (HTTP 400) when attempting to authenticate with the Apple School Manager API using OAuth2 with JWT bearer assertion (RFC 7523). Despite verifying all configuration values and following Apple's documentation, I continue to receive this error. Error Details Error: invalid_client HTTP Status: 400 Bad Request Endpoint: https://appleid.apple.com/auth/oauth2/v2/token Response: {"error": "invalid_client"} My Configuration All values have been verified to match Apple School Manager exactly: Organization ID: 55155430 Key ID: 8136a1f6-c995-4010-b964-bc8278c107ef Client ID (Service ID): SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 Private Key: Loads correctly, signs JWT properly (ES256) JWT Configuration I'm generating a JWT with the following structure: Header: { "alg": "ES256", "kid": "8136a1f6-c995-4010-b964-bc8278c107ef", "typ": "JWT" } Payload: { "iss": "55155430", "sub": "SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59", "aud": "https://appleid.apple.com", "iat": [timestamp], "exp": [timestamp + 30 days] } Token Request Method: POST Content-Type: application/x-www-form-urlencoded Parameters: grant_type: client_credentials client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion: [JWT token] scope: https://api.apple.com/auth/schoolmanager What I've Verified ✅ All configuration values match Apple School Manager exactly ✅ Private key file exists and loads correctly ✅ JWT is generated with correct structure (ES256, proper claims) ✅ Key ID in JWT header matches the Key ID from Apple School Manager ✅ Request format matches OAuth2 RFC 7523 specification ✅ Content-Type header is application/x-www-form-urlencoded ✅ Tried both Client ID and Organization ID as sub claim (both fail with same error) ✅ DNS resolution and API connectivity are working ✅ API account appears active in Apple School Manager interface What I've Tried Using Client ID as sub: Tried using SCHOOLAPI.7c0c10a0-4d8a-4ef8-a2be-eda040b65c59 as the sub claim Using Organization ID as sub: Tried using 55155430 as the sub claim (fallback) With and without scope: Tried both including and excluding the scope parameter Different JWT expiration: Tried various expiration times (30 days, 180 days) Verified Service ID format: Confirmed the Client ID follows the SCHOOLAPI.xxxxx-xxxxx-xxxxx format Both attempts (Client ID and Organization ID as sub) return the same invalid_client error. Previous Support Interaction I've contacted Apple Developer Support (Case #102783504559). They confirmed: The technical implementation is correct The issue is an account access/permission problem My Apple Account email is not associated with any memberships The Account Holder must add me to the Enterprise team membership However, I'm posting here to see if anyone in the community has: Experienced similar issues and found a solution Additional technical insights about the invalid_client error Suggestions for what else to verify or try Questions Is there a specific format requirement for the sub claim? Should it be the Client ID (Service ID) or Organization ID? I've tried both. Are there any additional claims required in the JWT beyond iss, sub, aud, iat, exp? Could there be a backend issue with the API account even though it appears active in Apple School Manager? Has anyone successfully resolved an invalid_client error that wasn't related to account access? Is there a delay after creating an API account before it becomes fully active for authentication? Technical Details Language: Python (Flask) JWT Library: PyJWT with cryptography library Algorithm: ES256 (ECDSA P-256) OAuth2 Flow: Client Credentials Grant with JWT Bearer Assertion (RFC 7523) Error Log I've generated a detailed error log showing the exact request/response. The key points: HTTP 400 Bad Request Response: {"error":"invalid_client"} Same error occurs with both Client ID and Organization ID as sub Any Help Appreciated If anyone has encountered this issue or has insights into what might be causing it, I'd greatly appreciate your help. I'm happy to provide additional details or try any suggestions. Thank you! Case Number: 102783504559 API Account: Created in Apple School Manager Status: API account appears active, but authentication fails

On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.

The Center for Innovation in Education created a reading program designed to teach every single child to read, regardless of any supposed difficulty in learning. The Center conducted a ten-year study of its Reading Program’s effectiveness. Over those ten years, the Center placed 2,048 Reading Program kits in classrooms across America. More than 300,000 children took part in the Center’s study. Results: The Reading Program taught every single child to read in every single classroom, every single year, regardless of any child’s supposed reading readiness - including dyslexic, autistic, and even Down syndrome children. No failures then or in any of the many years that have followed. Despite the Program’s success, educational publishers refused to publish it. Their refusals will be explained and hopefully counteracted in a book that is scheduled to be published in 2026. In response to publishers’ refusal to make the program available, the Center made it available as a free download from its website. The Center also made its program available as 14 free iPad apps. While the apps can be searched for individually by their unique names, since the apps are interrelated and meant to complement one another, the first keyword assigned to all 14 apps was the same. That same keyword is still in its first position for every app. The first keyword listed for each of the 14 apps is the word “Dekodiphukan”. That meant-to-be hard-to-read search word has worked well every year since the apps were introduced. However, in June of this year, that search term could find only 1 of the 14 apps. We reported this problem to Apple Support on June 26th. It is now November, and the problem remains unresolved. The only response we receive each time we ask for an update on the resolution of this problem the answer every time is: Reported search issues of this type require extensive review by Apple to determine whether it is valid and to confirm the appropriate action. There is no other response. No update has ever been sent to us. There is no phone number I can find to call. It was suggested to me by someone I spoke with in a different department at Apple Developers that I post my problem on the Developer Forum, in hopes that someone here can provide a suggestion for a way around this problem. Parents and teachers wishing to use our Reading Program with their children should not have to enter 14 different names to access our Reading Program.

I need to verify my domain for Apple Pay but I'm on Shopify. Domain: blissta.co File IS accessible: https://blissta.co/.well-known/apple-developer-merchantid-domain-association But verification fails because it's a redirect, not direct hosting. Shopify doesn't allow .well-known folder creation. Has anyone solved this? Need either: Way to make Apple accept redirects Shopify workaround for direct file hosting Manual verification from Apple Using Authorize.net gateway. Case #102711828925

We have created provisioning profile from apple developer account for our iPadOS app, the expiry date shown in the profile is 20-Aug-2026. However, when when I build the app with this provisional profile the expiry date shown in the app is 6-May-2026. My Certification expires on 2027. I see a embeded.mobileprovision profile inside the app, and it has an expiry of 6-May-2026. I did a clean build, cleared unnecessary profiles from profile folder, created a new provisional profile and tried, but nothing seems help. We have a few apps, and no other app has this issue, only those two apps have this issue. As the expiry date the shorten, we also need to special handle these two apps, Will you please help me to resolve this issue? Thanks.

Hi Team, Could you please share how to change/extend the expiry date of the existing iOS Distribution (In-House) certificate? Since the membership renewal date is in March 2026 and the iOS distribution(In-House) certificate expiry date is in Feb 2026. We use to distribute the mobile apps using the product intunes (Company portal) and via direct download link. Please suggest since this certificate is used by multiple mobile apps by the users which can affect lot of iPhone users? Thank you in advance Deepak

I have enrolled a macbook through ADE to Apple School Manager and register it to the MDM service. Upon sending the initial DeclarativeManagement payload, the device return the client capabilities as below: "supported-versions": [ "1.0.0" ], "supported-payloads": { "declarations": { "activations": [ "com.apple.activation.simple" ], "assets": [ "com.apple.asset.credential.acme", "com.apple.asset.credential.certificate", "com.apple.asset.credential.identity", "com.apple.asset.credential.scep", "com.apple.asset.credential.userpassword", "com.apple.asset.data", "com.apple.asset.useridentity" ], "configurations": [ "com.apple.configuration.account.caldav", "com.apple.configuration.account.carddav", "com.apple.configuration.account.exchange", "com.apple.configuration.account.google", "com.apple.configuration.account.ldap", "com.apple.configuration.account.mail", "com.apple.configuration.account.subscribed-calendar", "com.apple.configuration.legacy", "com.apple.configuration.legacy.interactive", "com.apple.configuration.management.status-subscriptions", "com.apple.configuration.management.test", "com.apple.configuration.math.settings", "com.apple.configuration.passcode.settings", "com.apple.configuration.safari.extensions.settings", "com.apple.configuration.screensharing.connection", "com.apple.configuration.screensharing.connection.group", "com.apple.configuration.security.certificate", "com.apple.configuration.security.identity", "com.apple.configuration.security.passkey.attestation" ], "management": [ "com.apple.management.organization-info", "com.apple.management.properties", "com.apple.management.server-capabilities" ] }, "status-items": [ "account.list.caldav", "account.list.carddav", "account.list.exchange", "account.list.google", "account.list.ldap", "account.list.mail.incoming", "account.list.mail.outgoing", "account.list.subscribed-calendar", "device.identifier.serial-number", "device.identifier.udid", "device.model.family", "device.model.identifier", "device.model.marketing-name", "device.model.number", "device.operating-system.build-version", "device.operating-system.family", "device.operating-system.marketing-name", "device.operating-system.supplemental.build-version", "device.operating-system.supplemental.extra-version", "device.operating-system.version", "management.client-capabilities", "management.declarations", "screensharing.connection.group.unresolved-connection", "security.certificate.list", "test.array-value", "test.boolean-value", "test.dictionary-value", "test.error-value", "test.integer-value", "test.real-value", "test.string-value" ] }, "supported-features": { } } }, com.apple.configuration.softwareupdate.enforcement.specific couldn't be found. The macbook current OS version is 15.5 and it's supervised so looking at this, I assume it should include the Software Update:Enforcement:Specific capability? https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml When I tried sending the payload to the device anyway the valid status is unknown

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

Hi Apple team and community, We’re currently integrating with the Apps and Books for Organizations API as part of our device management solution and would like to highlight a few critical points we've encountered — including a reliability issue, an enhancement suggestion, and a request for clarification on API rate limits. 1. Issue: Intermittent 403 Errors with stoken-authenticated-apps Endpoint We are encountering intermittent 403 Forbidden responses from the stoken-authenticated-apps endpoint. Approximately 30–35% of the requests fail with a 403 status code. These failures are inconsistent — the same request (using the same Content Token and Storefront) may succeed upon retry. All requests are properly authenticated and include the required Cookie and other headers as specified in the API documentation. This issue is impacting our ability to reliably fetch app metadata at scale, particularly in workflows. We’d like to know: Is this a known issue? Could it be due to a rate limit or token misconfiguration? Are any changes required on our end to avoid these failures? 2. Enhancement Request: Include externalVersionId in versionHistory Response The versionHistory extension currently returns: versionString releaseNotes releaseDate However, for Declarative Device Management (DDM) workflows such as App Pinning, we need the externalVersionId as well. Without it, we can't reliably correlate version metadata with the specific version ID required for pinning. Adding externalVersionId would: Enable precise version targeting during App Pinning Improve reliability and automation in managed deployments We request that Apple consider including externalVersionId in the versionHistory response to better support DDM-based app lifecycle management. 3. Rate Limit Clarification We found the following note in the Apps and Books for Organizations API documentation: "The Apps and Books for Organizations API limits the number of requests your app can make using a developer token within a specific period of time. If you exceed this limit, you’ll temporarily receive 429 Too Many Requests error responses for requests that use the token. This error resolves itself shortly after the request rate has reduced." While this confirms that a rate limit is enforced, there is no detailed information about the thresholds — such as the number of allowed requests per minute, hour, or day per developer token. To help us implement proper throttling and retry strategies, we request clarification on the following: What is the exact rate limit threshold per developer token? Are there per-endpoint limits, or is it a global cap for all requests using the token? Does the API return a Retry-After header when the limit is exceeded? What is the recommended backoff strategy for clients to follow when receiving 429 errors? This information would help us implement efficient throttling and error handling logic. Any insights from the Apple team or other developers who’ve encountered these issues would be greatly appreciated!

We use Device Management Profile to restrict all apps from using camera on unsupervised devices. It works fine until iOS 26.1 beta. In iOS 26.1, only the camera icon is removed from Home screen, the third party apps can still use camera. In our scenario, the camera of employees' iPhones are disabled when they enter the factory and are restored when they leave. According to the documentation, disabling camera on unsupervised devices is deprecated. But supervision is not feasible option because these iPhones are owned personally by employees. Is there any new solution for camera restriction on unsupervised devices? Thanks.

We are facing an issue with Platform SSO registration on macOS devices for AD-bound user accounts with Microsoft EntraID configuration. We are using the Platform SSO payload on macOS devices integrated with Entra ID, and it works as expected — registration completes successfully, and the password syncs with the Entra ID password. However, when we try the same on macOS devices with AD-bound (mobile) user accounts, the registration does not complete. To elaborate, the process successfully completes the initial WebView authentication but fails at the stage where Apple prompts for the password to sync the local macOS user’s password with the Entra ID password. It does not display any error, and even after entering a valid password, the process does not proceed further. However, when we try the same on a non-AD user account, it works fine. We have checked with Microsoft, and they confirmed that there are no restrictions on their side for AD-bound accounts. Since the issue appears to occur at the Apple system level, they advised us to reach Apple teams on this. Could you please check and let us know how we can proceed with this? Payload used: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>ExtensionIdentifier</key> <string>com.microsoft.CompanyPortalMac.ssoextension</string> <key>PayloadDisplayName</key> <string>Extensible Single Sign-On Payload</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.B408A658-3DAF-41FF-8A5D-AE77B380CB7B</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>D506CAFD-C802-41F2-9C3E-DF5289C315FF</string> <key>PayloadVersion</key> <integer>1</integer> <key>PlatformSSO</key> <dict> <key>AccountDisplayName</key> <string>EntraID</string> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableCreateUserAtLogin</key> <true/> <key>LoginFrequency</key> <integer>3700</integer> <key>LoginPolicy</key> <array> <string>AttemptAuthentication</string> </array> <key>NewUserAuthorizationMode</key> <string>Admin</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Admin</string> </dict> <key>ScreenLockedBehavior</key> <string>DoNotHandle</string> <key>TeamIdentifier</key> <string>UBF8T346G9</string> <key>Type</key> <string>Redirect</string> <key>URLs</key> <array> <string>https://login.microsoftonline.com</string> <string>https://sts.windows.net</string> <string>https://login.partner.microsoftonline.cn</string> <string>https://login.chinacloudapi.cn</string> <string>https://login.microsoftonline.us</string> <string>https://login.microsoft.com</string> <string>https://login-us.microsoftonline.com</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>Platform SSO</string> <key>PayloadIdentifier</key> <string>42GBHOLAP04621.1BD5B6D9-640B-4DC3-9275-56DDD191A5FB</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>58548FC6-38D9-4B28-9EDF-BEEAB03BAB23</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

We are trying the renewal the apple Enterprise program. It asks set of questions after that it shows the below message "Thank you for your request to renew your membership in the Apple Developer Enterprise Program. We’ll review your submission and get back to you shortly to let you know if we can process the renewal or if another program better serves your organization’s needs." We have submitted for review for over two months now. During these two months, we have contacted the official customer service multiple times, only to be told to wait for news. Now, with only a few days left, The status hasn't changed, neither approved nor rejected，what should we do？This account is very important to our company. Thank you

Hi everyone, We manage several macs through Microsoft Intune. We've deployed Platform SSO using the password based method (not the Secure Enclave) and have also enforced filevault encryption through policy. What we're trying to achieve is that multiple users can log into the same Mac. For example, I (the initial enrolling user) can log in without issues. However, we want a colleague to be able to log in as well if they're physically in front of the mac. The challenge we've run into is that once filevault is enabled (We're not sure about it but reading on forums it seems that the problem is filevault), it seems the network is not available at the login screen. This means that while the first user can create a mobile account and log in, a second user can't do the same. The moment we try to log in with another set of credentials, we get an immediate error and the password field shakes instantly, suggesting it's not even reaching out to the network or directory to validate the credentials. We'd like to confirm if this behavior is expected when FileVault is active and whether the only solution is to disable FileVault or if there are alternative solutions to allow network connectivity at the login screen. Essentially, we want to know if there's a way to let a second user log in without having to turn off disk encryption. Or if we can pre-authorize a set of users on the mac in order to create all the mobile account needed.. Thanks in advance! Thomas

This is in reference to the feedback ticket : https://feedbackassistant.apple.com/draft/57929340, we would like to know if there are any test enterprise websites that Apple can suggest to test passkeys declaration.

Steps to Reproduce Step 1: Fetch Initial Device List Called the device list endpoint to retrieve all devices and saved the cursor: GET https://mdmenrollment.apple.com/server/devices Step 2: Modify Devices Added and deleted several devices via https://business.apple.com/ Step 3: Sync Without Pagination Called the sync endpoint using the cursor from Step 1 (no limit): GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor} Result: Returned 3 device records as expected: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" }, { "serial_number": "F70JJ4C16L", "op_type": "deleted", "op_date": "2025-12-11T07:04:36Z" }, { "serial_number": "C8RWGXZXJWF5", "op_type": "deleted", "op_date": "2025-12-11T07:04:52Z" } ], "more_to_follow": false } Step 4: Sync With Pagination (First Page) Called the sync endpoint using the same cursor from Step 1 with limit=1: GET https://mdmenrollment.apple.com/devices/sync?cursor={step1_cursor}&limit=1 Result: Returned 1 record with more_to_follow: true — indicating more data exists: { "devices": [ { "serial_number": "F70JJ4C16L", "op_type": "added", "op_date": "2025-12-11T07:05:05Z" } ], "more_to_follow": true, "cursor": "MTowOjE3NjU0MzgyNDI5ODc6..." } Step 5: Sync With Pagination (Second Page) Called the sync endpoint using the cursor from Step 4 with limit=1: { "devices": [], "more_to_follow": false } Expected Behavior When paginating with limit=1, the API should return all 3 records across 3 sequential requests. Actual Behavior Without pagination: Returns 3 records ✓ With pagination (limit=1): Returns only 1 record, then empty array ✗ 2 records are missing when using pagination. Impact This inconsistency makes the sync API unreliable for incremental device synchronization workflows.

Hi Apple Development forums, I am having trouble getting a Wireguard VPN config setup to automatically disconnect on all domain requests other than one specific domain. I have my .mobileconfig designed as so: <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <array> <dict> <key>Domains</key> <array> <string>service.domainname.com</string> </array> <key>DomainAction</key> <string>ConnectIfNeeded</string> <key>ProbeURL</key> <string>https://service.domainname.com/</string> </dict> </array> </dict> <dict> <key>Action</key> <string>Disconnect</string> <key>DNSDomainMatch</key> <array> <string>*.com</string> <string>*.org</string> <string>*.net</string> </array> </dict> <dict> <key>Action</key> <string>Disconnect</string> </dict> </array> The issue I'm having is regardless of whether I note a *.com or simply have the action Disconnect noted - the VPN stays connected after navigating to https://service.domainname.com. would anyone have any thoughts on this? Or am I missing something here?

Hey folks, I work as a software development consultant. We develop enterprise applications for our clients, and the apps we create are usually for internal use. We've ran into a bit of a conundrum with a client who doesn't have their own Apple Enterprise account, and neither do we as we don't meet the criteria, but they're wanting to distribute an application we've built for them via their own MDM software. We are not entirely sure how to provide them with a distribution ready .ipa file that isn't AdHoc and will be recognized as a secure app. We've looked into generating a Developer ID provisioning profile and accompanying cert, however we're running into a problem where the platform of our app (iOS) doesn't match the platform required by the Developer ID profile (macOS). I've also come across the idea of resigning an .ipa, but again, the client doesn't have a Apple Developer account and expects the working .ipa to be included in the service rendered. Any suggestions or advice or documentation around the subject would be greatly appreciated. Thanks, Ale

Is there a way to check if DDM(Declarative Device Management) is enabled on a device?

Hi, We're having problems starting an Ad Hoc ipa on an iPad with iOS 12.7.7 and 12.7.8, probably iOS 12 in general. The iPad's UUID is added to the certificate. And we don't have problems with iOS versions > iOS 12. Here is the anonymized Console Log: default 09:05:12.088994+0100 SpringBoard immediate edge swipe: failed default 09:05:12.095189+0100 SpringBoard Icon touch began: <private> default 09:05:12.096204+0100 SpringBoard Found a reasonable launch image for <private>, not pre-warming SplashBoard. Load image into the snapshot instance. default 09:05:12.117737+0100 powerd Activity changes from 0x2 to 0x1. UseActiveState:1 default 09:05:12.118572+0100 powerd hidActive:1 displayOff:0 assertionActivityValid:0 now:0xcb6 hid_ts:0xcb6 assertion_ts:0x0 default 09:05:12.145354+0100 backboardd [HID] [MT] dispatchEvent Dispatching event with 1 children, _eventMask=0x23 _childEventMask=0x3 Cancel=0 Touching=0 inRange=0 default 09:05:12.152820+0100 SpringBoard Icon tapped: <private> default 09:05:12.158236+0100 dasd Trigger: <private> is now [1] default 09:05:12.159538+0100 dasd Don't have <private> for type 1 default 09:05:12.170128+0100 trustd cert[0]: SubjectCommonName =(leaf)[]> 0 default 09:05:12.170407+0100 trustd cert[0]: LeafMarkerOid =(leaf)[]> 0 default 09:05:12.182388+0100 trustd OCSPSingleResponse: nextUpdate 0.54 days ago default 09:05:12.186084+0100 trustd OCSPSingleResponse: nextUpdate 0.62 days ago default 09:05:12.187067+0100 SpringBoard Trust evaluate failure: [leaf IssuerCommonName LeafMarkerOid SubjectCommonName] default 09:05:12.238604+0100 trustd Task <TASK_UUID_REDACTED_1>.<1> resuming, QOS(0x19) default 09:05:12.240650+0100 trustd TIC TCP Conn Start [12:0xADDR_REDACTED] default 09:05:12.241136+0100 trustd [C12 Hostname#HASH_REDACTED:80 tcp, pid: PID_REDACTED, url hash: HASH_REDACTED] start default 09:05:12.245884+0100 trustd TIC TCP Conn Start [13:0xADDR_REDACTED] default 09:05:12.246361+0100 trustd [C13 Hostname#HASH_REDACTED:80 tcp, pid: PID_REDACTED, url hash: HASH_REDACTED] start default 09:05:12.256520+0100 trustd nw_connection_report_state_with_handler_locked [C12] reporting state failed error Network is down error 09:05:12.256978+0100 trustd TIC TCP Conn Failed [12:0xADDR_REDACTED]: 1:50 Err(50) error 09:05:12.262697+0100 trustd Task <TASK_UUID_REDACTED_1>.<1> HTTP load failed (error code: -1009 [1:50]) error 09:05:12.271646+0100 trustd Task <TASK_UUID_REDACTED_1>.<1> load failed with error Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." default 09:05:12.271898+0100 trustd Failed to download ocsp response http://ocsp.apple.com/ocsp03-wwdrg311/... with error Error Domain=NSURLErrorDomain Code=-1009 "The Internet connection appears to be offline." default 09:05:12.280643+0100 SpringBoard Activating <private> from icon default 09:05:12.281399+0100 CommCenter #I CTServerConnection from pid PID_REDACTED has closed (conn=0xADDR_REDACTED) default 09:05:12.513629+0100 SpringBoard Bootstrapping com.example.myapp with intent foreground-interactive default 09:05:12.514084+0100 assertiond Submitting new job for "com.example.myapp" on behalf of <BKProcess: 0xADDR_REDACTED; SpringBoard; com.apple.springboard; pid: PID_REDACTED; ...> default 09:05:12.514909+0100 assertiond Submitted job with label: UIKitApplication:com.example.myapp[REDACTED][REDACTED] error 09:05:12.516769+0100 SpringBoard [com.example.myapp] Bootstrap failed with error: <NSError: 0xADDR_REDACTED; domain: BKSProcessErrorDomain; code: 1 (bootstrap-failed); reason: "Failed to start job"> error 09:05:12.516935+0100 SpringBoard Bootstrapping failed for <FBApplicationProcess: 0xADDR_REDACTED; com.example.myapp; pid: -1> with error: Error Domain=BKSProcessErrorDomain Code=1 "Unable to bootstrap process with bundleID com.example.myapp" default 09:05:12.517589+0100 SpringBoard <FBApplicationProcess: 0xADDR_REDACTED; com.example.myapp; pid: -1> exited. default 09:05:12.542638+0100 SpringBoard Application process state changed for com.example.myapp: <SBApplicationProcessState: 0xADDR_REDACTED; pid: -1; taskState: Not Running; visibility: Unknown> default 09:05:13.072994+0100 SpringBoard Front display did change: <SBApplication: 0xADDR_REDACTED; com.example.myapp> Is there any know problem with running Ad Hoc ipas on iOS 12? Thanks Christian