WWDC 2021: What is new in Apple device management?

Emily Brown

Jun 9, 2021

12 min read

Apple’s annual Worldwide Developers Conference is back this year with exciting new features and OS announcements as always. Like WWDC 2020, the conference is entirely virtual this year too. We expected that it would be hard to trump WWDC 2020, where Apple revolutionized Macs with the introduction of Apple Silicon chips. In WWDC 2021, Apple has delivered what we already expected – the introduction of new OS versions iOS 15, iPad OS 15 and the new macOS Monterey. These new versions come with a variety of fun and useful features like SharePlay, spatial audio, focused notifications, security and privacy updates, and many more.  

For us device management geeks, the “What’s new in managing Apple devices” session was the one that got us really excited. We got a sneak peek into how Apple sees the future of device management, and of course, we rushed to share it with you. 

At Apple, we believe that the balance between privacy, user agency and administrator control is what makes for a great device management solution.

– Graham McLuhan, Device Management team 

No argument here Graham! 

iOS and iPadOS device management

1. Changing the way a user sees their managed account 

VPN and device management WWDC 2021
Image source: Apple WWDC 2021

The users can now see their managed account, VPN and the profiles installed in the device at one place in settings. This helps the user to gain a complete understanding of how their device is managed.

2. Required App

Installing apps in supervised iOS devices has always been smooth. The apps would get silently installed without the need for any user intervention. What about unsupervised devices? The user would get a prompt to install the app, where they could decline to install the application. The new Required App feature allows the admin to install one application to the unsupervised device without prompting the user. The user privacy is still protected as the user has to consent to silent app installation during the initial MDM enrollment.  

3. Managed Pasteboard

For iPhones and iPads, Apple has a managed open-in feature that controls the flow of data between managed and unmanaged apps. Here, any app that is installed by the MDM is considered a managed app. The new Managed Pasteboard restriction controls whether copy/paste is affected by managed open-in or not. System apps such as Calendar, Notes, Mails and Files would honor this restriction. The system and third-party apps require no additional changes to implement this feature. 

Managed Pasteboard WWDC 2021 device management
Implementation of Managed Pasteboard 

4. Temporary session on shared iPad

Last year, Apple introduced shared iPad for business. To use the shared iPad, the user had to use their managed Apple ID authentication. Temporary session on shared iPads enables anyone to use the devices.

Temporary session shared iPad WWDC 2021 device management
Temporary session for shared iPads
Image source: Apple WWDC 2021 

Just as the name implies, all the user data including Safari browsing history, modified user settings and files would be deleted on logging out. For iOS 14.5, new features have been introduced. The admin can limit the ability of the user to login with a managed Apple ID account. The user would have to use the temporary session on the shared iPads. The admin can also configure settings to automatically log the user out after a set amount of time. The timer resets every time the home button is pressed. This ensures that the data is secure even after a period of inactivity. 

Apple TV management

iPhones, iPads and Mac computers use Bonjour to discover Apple TV. The introduction of a new security feature in tvOS 15 prevents the broadcasting of MAC addresses over Bonjour. Due to this change, PIN prompts in Apple TVs can no longer be blocked. For seamless deployments, Apple has introduced the option for filtering Apple TV device names in the Remote widget. This would prevent any unwanted pairing prompts. 

Device management for macOS Monterey

Removable System Extensions 

What are system extensions? 

System extensions are a very useful feature that allows software like network extensions and endpoint security to extend the functionality of macOS without requiring kernel-level access. Kernel extensions, or kexts, are a kind of legacy system extensions that aren’t as secure as modern system extensions. 

Apple has introduced a new feature called RemovableSystemExtension. This allows an app to remove its own system extension, say when the app uninstalls itself. This is useful in Mac computers with no admin user since the admin password is not required to remove the system extension in this case.  


In WWDC 2020, the ability of Mac computers running Apple Silicon to install iOS and iPadOS apps was one of the coolest features announced. Now, we can know whether the Mac supports the installation of these apps or not. Apple has also announced support for managing iOS-style provisioning profiles in macOS Monterey.  

Some other features exclusive to Apple Silicon

Remote lock WWDC 2021 device management
Graham talking about the new remote lock
Image source: Apple WWDC 2021 
  • Enhanced remote device lock that enables the admin to send a six-digit pin, message and phone number to the device. It would result in the reboot of the device and present this provided information to the user. The user can use the Mac only on entering the PIN. Providing the PIN would reboot the Mac with all device data intact. This is not all. Apple foresaw that even with the remote lock in place, rebooting to recovery could allow for unintended data access. To prevent this, Apple has introduced a new feature to set a recovery password. This password must be entered by the user before rebooting into recovery. The admin can set and remove the password only by using the MDM solution. If a user disenrolls from the MDM, the recovery password would be removed. If the Mac is erased, both the device lock PIN and the recovery password would be removed from the device. Hence, it is best to use these features in conjunction with Activation Lock.  
  • Erase all content and settings for Mac – This feature would be supported on all Mac computes with Apple Silicon and Apple T2 security chip.  
  • A new restriction to limit the users from erasing their managed Mac computers.  

In this session, Graham mentioned some other cool features in passing like declarative management and Apple Configurator for enrolling macOS devices. In addition to the general session on device management, this time, there were deep-dive sessions into important features:

New features for Apple Configurator

Apple Configurator is a widely used tool to configure and deploy iOS, iPadOS and tvOS devices. Additionally, it can be used to add devices to the Apple Business or School Manager (ABM or ASM). Blueprints are used to apply to the same configuration to devices in bulk. Apple Configurator can also be used to perform software updates as well as to purchase books. 

Pradhap Natarajan from Apple’s device management team unveils the latest updates on Apple Configurator.

macOS support – Extending reach

Configurator originally supported iOS and tvOS. Its inability to configure macOS devices was one of its few shortcomings. Apple has finally released support for macOS, establishing complete authority in their commonly used devices. There are two ways to configure Mac devices beginning with those models with a T2 security chip. 


Restore is used to set up a device without preserving the user data. This makes it the perfect choice before handing the device over to a new user. This option installs the latest version of the recoveryOS and restores the firmware. This action also updates macOS to the latest version for Apple Silicon. 


Revive action is used to recover a Mac device while preserving the user data. If your Mac device were to run out of battery during a system update, revive would be a suitable action to perform. This would option also updates your firmware and recoveryOS to the latest version. 

If your Mac device was purchased via an Apple-supported channel, then we can add the device to ABM/ASM via Configurator. By assigning the devices to an MDM server, the enrollment and configuration process is simplified. Once the device is rebooted, it’ll configure itself according to your specified settings. 

Configurator on iOS – Wireless deployment

To use Configurator, you had to walk around with a Mac device and a cable. That is no longer the caseApple Configurator is now available on iPhones too. Just log in with your managed Apple id and use your camera to register the image which pops up in the Setup Assistant on your Mac device. 

Apple configurator for iPhoen

Apple configurator for iPhone
Image source: Apple WWDC 2021

There are two icons on the Configurator app; Settings and view status. Settings can be used to configure which network the Mac device uses unless it’s already connected to the ethernet. The view status option readies a report which shows a list of all Mac devices which can be assigned or is assigned to your organization. 

Organizations are no stranger to using Apple Configurator for deploying their iPhones, iPads and Apple TVs. The ease of deploying and installing configurations has always been a point of attraction for Apple admins. The only major drawback was that we couldn’t enroll Mac computers using this method, and this time, Apple has addressed that too.

Improve MDM assignment of Apps and Books 

In an organization, assigning the essential apps and books to employee devices is a pretty important process, especially in apple devices. The procuring of various apps and books via the current API is not exactly optimized. However, the latest updates on this API have made it a lot more efficient. There are dozens of changes made to this API but we’ll be focusing on two of them. These two updates contribute most in enhancing your experience. 

Real-time notifications 

Getting real-time updates is really useful since manually searching for task progress is time-consuming. Then again, we don’t need notifications for everything, you’ll be swarmed and finding the ones you really need under the clutter is an even bigger task. With Apple’s real-time notifications, you can subscribe to specific notifications. This also eliminates the need to perform sync all the time. 

When we deploy apps or books to devices in bulk, we cannot know which all apps got installed on devices or even if the apps got installed on all devices until a confirmation is received. Say an app got deployed to a thousand devices. Waiting for a thousand confirmations before proceeding sounds like a huge wait. With the new real-time notifications features, we can stay updated on the assignment progress. 

Assets are the apps or books which are purchased from Apple Business Manager or Apple School Manager. Managing the assets on your employees’ devices is super easy now. You can know the real-time status of assets in every device; whether they are purchased, transferred or refunded. 

When you need to assign content to a user, they must first have an associate Apple ID.  In order to associate a registered user with an Apple id, an invitation must be accepted by the user. With the updated API it is possible to know in real-time whether a user was created, updated, associated or retired. 

Asynchronous processing 

Before the update, if you were to make a request to manage a few apps, Apple would be performing this action while you’d be waiting for a synchronous response. Now the requests and responses are independent and are performed in separate sessions. This is known as asynchronous processing which results in optimized processing and efficient handling of requests. 

Apps and Books API

Austin explaining about asynchronous processing
Image source: Apple WWDC 2021

Asynchronous processing is a win-win for everyone, whether it be employees or students, who would get their content, IT admins who wish to deploy assets in bulk or a person who wants to effectively manage all the organization assets. 

Managing Software Updates in your organization 

Managing software updates is a significant part of Apple device management. Updates mean the latest security enhancements and the newest features. Every organization have their own software update policy. Users are rarely trusted to handle the updates on their own. This year, Apple has promised quite a few improvements for managing software updates with an MDM solution like Hexnode.  

What should we be looking forward to? 

1. Deploy updates using the OS version 

Hexnode users may already be aware that admins can delay the OS updates for their devices anywhere between one to ninety days. The OS updates are deferred this way by the admins so that they have the time to test an update before deploying it in bulk. This method did not differentiate between major and minor updates. Now, the admin can choose to delay major releases for longer than minor releases. The advantage of this feature is that the users get to benefit from important security updates while the admin tests the major updates. The admin also has the option to delay the minor or the supplementary updates.  

2. Automated non-interactive updates for Mac computers with Apple Silicon 

Software updates are often annoying to the end-user. Imagine your system getting restarted due to an update right in the middle of an important meeting! In macOS Monterey, this issue is resolved. The admin can schedule and perform updates at a later time when the device is not in use.  

3. Enforce a number of maximum deferrals before a forced update 

 Once the admin has made the update available for the user, it is not desirable that the user cancels or defers the update. In macOS Monterey, the admin can specify the number of times the device should prompt the user to install before enforcing the update. The user sees a notification that shows the remaining number of attempts before a forced install.  

We are very excited about all these changes and we look forward to seeing how these changes will improve the device management capabilities of organizations worldwide.  

Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts