Apple’s big mid-year software event, Worldwide Developers Conference typically unveils the first details on upcoming products, new operating systems and sets the stage for major hardware and software announcements. And WWDC’19 was not an exception.
All the consumer features announced were quite interesting especially the dark mode for iOS 13 and the new app store for Apple Watch. The most noteworthy features, however, aren’t just limited to consumers. The event had plenty of news for the enterprise IT too.
Apple debuted its new OS versions iOS 13, macOS 10.15 Catalina, tvOS 13, watchOS 6 along with the new iPadOS 13, the dedicated operating system for iPads now separated from iOS!
Without talking much about the consumer features, let’s dive into the enterprise features discussed in the ‘What’s new in managing Apple devices’ session of WWDC.
One of the most exciting announcements during the ‘What’s new in managing Apple devices’ session was the introduction of a new enrollment method called user enrollment built specifically for BYOD devices. Until then, Apple offered only two ways for IT to manage their devices, either the basic Device enrollment or the Automated device enrollment via Apple DEP. This new enrollment option is meant to meet the organization’s requirements to secure sensitive corporate data without compromising employee privacy.
User enrollment has three main features:
- A Managed Apple ID that stands alongside the personal Apple ID.
- The cryptographic separation between personal and work data.
- Limited management capabilities over the personal apps and data.
The user authenticates with the Managed Apple ID during the enrollment process after which the corporate apps and accounts will use the Managed Apple IDs iCloud account. A managed APFS volume will be created at the time of enrollment to separate work data from personal. This volume uses separate cryptographic keys which will be destroyed along with the volume once the devices are disenrolled.
Here is the list of what IT can and can’t do on a device that’s enrolled via User Enrollment.
- IT can’t find out what personal apps are installed on the device and so they can’t restrict certain apps’ use.
- User enrollment won’t support a full device wipe command. For Exchange server just the account-only remote wipe for removing the managed data is possible.
- Using the per-app VPN feature, traffic from built-in apps will go through the corporate VPN only if the domain matches with that of the business.
- The Admin won’t get the UDID or any other persistent information about the user device. Instead, there will be a new identifier called the enrollment ID which will be destroyed once the enrollment ends.
- The MDM has no option to clear the passcode to unlock the device. No complex passcode can be enforced other than a six-digit passcode.
- User enrollment doesn’t support any of the supervised-only restrictions and some of the basic restrictions.
This new enrollment mode is a step towards a better balance of concerns, maintaining user privacy while keeping corporate data protected.
ABM and ASM enhancements
Following the success of ABM and ASM programs, Apple is officially ending the support for their Apple Deployment Programs by the end of this year. There are a lot of updates coming for the ABM and ASM platforms:
Managed Apple IDs for business
Businesses can create Apple IDs for their employees giving them access to services like iCloud drive and iCloud notes. The option was previously available with Apple School Manager where the schools can create Apple IDs for their students to give them access to iCloud services. Now, Apple has extended this option for the enterprises too. The Managed Apple IDs have more relevance with the advent of the user enrollment method. In user enrollment, the Managed Apple ID is the user’s work identity which is created by the admin from Apple Business Manager/Apple School Manager. Another important part is that the businesses can federate with Microsoft Azure Active Directory to create Managed Apple IDs in Apple Business Manager/Apple School Manager.
Custom apps in ASM
The custom apps feature which was formerly known as B2B apps were available only with Apple Business Manager. This allowed organizations to distribute apps to their own employees as well as in other companies. Custom apps feature is now supported in Apple School Manager as well.
Supervision and Mandatory enrollment
Apple had already announced last year that they are making supervision and management mandatory with DEP enrollment, but it’s actually going to be enforced this time. If you are using automated device enrollment, those devices will be supervised, and MDM enrollment will be mandatory.
Single sign-on extension
The single sign-on extension allows users to seamlessly log in to apps and websites using the security of Face ID and Touch ID. This will improve the user experience of authentication. The user doesn’t have to sign in repeatedly on those apps and websites that the organization wants to access frequently. Some users may not be using passwords, and so they can use single sign-on for authentication.
Apple will provide a device management documentation including a great way to highlight the changes introduced in particular OS releases and all the different platforms a particular payload is supported on. And with the same Apple ID you’ve used to sign in for ABM/ASM, you can sign in to Apple seed for IT to get all the new software releases, documentation and test plans.
Other MDM updates
Apple has depreciated some restrictions and announced support for some new payloads and restrictions. They added support for WPA3 security type for Wi-Fi payload on iOS, macOS, and tvOS including both personal and enterprise authentication. A token-based authentication for APNs was also introduced. Major updates under each of the platforms include:
iOS 13 and iPadOS 13
- Some unsupervised restrictions like iCloud backup, iTunes access, usage of facetime, etc., are depreciated and transitioning into supervised only.
- New supervised restrictions including the new QuickPath keyboard, Modify Find My Friends, Find My iPhone and Modification of Wi-Fi (whether Wi-Fi is on or off) were introduced.
- Desktop-class browsing on iPad – With the desktop-class Safari, Apple is basically changing the user agent on Safari to the desktop version to provide a full desktop experience. So, the iPad will be identified as Mac. This may impact your MDM product if you are using the User-agent string to distinguish between iPad and Mac to customize the UI or enrollment flow.
macOS Catalina 10.15
- Apple Remote Desktop can be enabled and disabled via MDM. Can also configure options like observe and control that is needed for the on-going management of these Macs using remote desktop.
- Can use removable accounts with Macs using FileVault. MDM servers can manage a new bootstrap token. They ask the client mac for the bootstrap token. Whenever a new user signs in on that Mac it would request the bootstrap token from the MDM server and used to generate the security token needed to boot the Mac.
- Enabling FileVault via MDM now requires user-approved MDM enrollment.
- Added an option to clear Activation lock via MDM just as in iOS. It uses the same endpoint and API as iOS.
- Managed software updates.
- Force automatic date and time.
- Content caching for screen savers.
There are so many other updates which are difficult to be conveyed through a single blog.
With each new updates of Apple’s OS platforms, new and exciting enhancements provide improved experiences for both personal and professional use. All the announcements made in WWDC’19 offer much-needed management capabilities and are sure to take Apple device management to the next level.