WWDC21

If you've been following WWDC, you know there are many good things coming our way when looking at managing iOS/iPadOS and macOS using MDM. One of the most exciting new features coming is the ability to add mac devices to ABM/ASM using Apple Configurator on an iPhone.

These are my notes from WWDC21, things that I think will benefit all of us working with Apple in MDM. What are you most excited about?

Discover account-driven User Enrollment

• Managed Apple ID
  • In iOS 15 and macOS Monterey, Managed Apple IDs supports iCloud Drive
• User Enrollment improvements across platforms
  • Control copy & paste between work and personal and managed area
  • Specify one app that’s required to be installed. This will not prompt the user as it’s handled during enrollment
• Onboarding
  • Enroll by setting up an account on the device, providing a more user driven than MDM driven enrollment
  • User is verified before the enrollment profile is downloaded
• Ongoing authentication
  • Require the user to re-authenticate at any point

What’s new in managing Apple devices

iOS/iPadOS

• VPN & Device management is now combined, get a complete overview of what’s being managed
• You'll be able to install ONE required app without prompts on non-supervised devices, users agree to this during enrollment
• Managed pasteboard, new restriction that controls if paste is affected by Managed Open In. Apps require no changes to use this feature, as usual apps installed via MDM is managed and user install non managed
• Shared iPad for business, temporary session (no managed Apple ID)
  • New Keys
    • TemporarySessionOnly
    • TemporarySessionTimeout
    • UserSessionTimeout

macOS

• System extensions
• RemoveableSystemExtension – allows an app to deactivate its own system extension, for example when the app uninstalls (no admin pw required to disable the extension)
• Kernel extensions
  • RestartDevice command
    • RebuildKernelCache – rebuilds chache on reboot
    • KextPaths – allows MDM to install an app and load the KEXT without the need for the user to launch the app before rebooting
    • NotifyUser – Display a reboot notification to the user to let them gracefully reboot their device (can be used outside of KEXT policys)
• When an InstallApplication command is sent to Silicon macs and if it’s an iOS app, the iOSApp is set to True
• Exclusive to Silicon
  • Enhanced device lock command
    • Set a 6digit pin
    • Lock screen message (optional)
    • Phone number (optional)
  • Set recovery lock
    • You’ll be able to set a PW via MDM that has to be entered before the mac can boot to recovery
    • PW can only be set and removed via MDM
    • Recommended to run in conjunction with Activation Lock
• Just like with iOS, in macOS Monterey you’ll be able to use Erase All Content And Settings, this can be disabled using restrictions in MDM
  • Supported on Apple Silicon and T2
  • Current system volume preserved
  • Apple Silicon security settings reset

Meet Declarative Device Management

Today the MDM protocol can be described as imperative and reactive, each workload takes time and requires multiple roundtrips between the device and MDM server which in turn affects the performance of the MDM solution. Apple has re-envisioned the MDM protocol and introduces Declarative Management which brings policy management to the device itself. This is a new paradigm but not a new protocol, it’s built into the existing MDM protocol starting with iOS (User Enrollment).

• Autonomous and Proactive, the foundations of Declarative Management
  • Autonomous
    • Device reacts to its own state changes and applies management logic to itself without server prompting
  • Proactive
    • Has a status channel that asynchronously reports to the MDM server when state changes occur, no need for MDM server to pull devices

Manage devices with Apple Configurator

Using an iOS 15 device, macOS devices with Apple Silicon or T2 and macOS Monterey can be added using a new Apple Configurator app for iPhone.

• Apple Configurator for iPhone, assign macs to ABM
  • Sign in with a Managed Apple ID and configure the app
  • Bring iPhone close to the mac and scan using iPhone camera
  • Mac is assigned in ABM
  • NO CABLE

Move beyond passwords

• Security keys in apps
  • Available for all macOS and iOS apps
  • Part of the ASAuthorization API
  • Especially useful in high security contexts
• Passkeys in iCloud Keychain (Technology preview)
  • Powered by WebAuthn
  • Backed by iCloud Keychain

Meet TestFlight on Mac

TestFlight will be available on macOS allowing developers to push apps to a group of test users before publishing widely on the App Store, coming this fall.

• Install beta apps
• Auto updates
• Share feedback
• Native mac app
• iOS apps on Silicon

Improve MDM assignment of Apps and Books

Updates to the Apps and Books Management API to provide faster access to content for users and devices, apps acquired in ABM etc. Needs to be implemented by the MDM vendor. This enhanced API means we can work with large volumes of apps within minutes instead of hours.

• Real-time notifications
  • State changes
  • Assignments
  • Assets
  • Registered users
• Asynchronous processing

Manage software updates in your organization

New for macOS Monterey is the ability to force updates to be installed, once a user has deferred the specified amount from MDM the update will install.

New for iOS is the option to set RecommendationCadence, this means that you’ll be able to configure if iOS should remain at for example iOS 14 instead of 15 but install minor updates. Software Update pane in settings will behave different depending on which RecommendationCadence setting you use,

• If RecommendationCadence is set to 0, you’re able to install either the latest major release like iOS 15 or a minor update like 14.6
• If RecommendationCadence is set to 1, only minor updates can be installed
• If RecommendationCadence is set to 2, the software update with the highest number can be installed i.e., 14.6 -> 15