WWDC 2025: Apple’s Big Leap in Device Management

Another June, another WWDC – and once again, Apple didn’t disappoint.
With every keynote, we’ve come to expect a wave of innovation, and this year’s WWDC 2025 was no different.
From the moment the event kicked off, it was clear that Apple had IT administrators and MDM developers firmly in mind.
This year’s announcements reflect Apple’s continued focus on simplifying large-scale deployments and improving the user experience across all Apple platforms.
So, whether you’re an IT admin managing thousands of Apple devices or an MDM developer building the next big thing in enterprise mobility, this year’s announcements are packed with features that will make your life easier.
Here’s everything you need to know about what Apple announced for device management at WWDC 2025.

Managed Apple accounts get smarter

Apple Business Manager (ABM) and Apple School Manager (ASM) are once again at the center of Apple’s enterprise services push—and this year, they’re smarter than ever.
Building on last year’s ability to lock domains and claim ownership of associated Apple IDs, Apple has now added a new capability. Admins can download a complete list of personal Apple IDs using the organization’s domain, making it easier to identify and guide users through the transition to managed accounts.
To make the process smoother, Apple’s also expanded its Access Management capabilities. Organizations can now prevent personal Apple IDs from signing into corporate-owned devices, even during Setup Assistant. This restriction applies universally across devices without needing MDM, making enforcement easier for IT.

Tip for IT: Start by locking your domain to block new personal accounts, then roll out account capture and federation.

Expanded device inventory insights

Apple is giving IT teams deeper visibility into the data available for every managed device in their fleet.

This year, inventory now includes:

• Activation Lock status
• Storage capacity
• IMEI and EID for cellular devices
• Bluetooth and Wi-Fi MAC addresses on iPhones and iPads (coming later this year)
• AppleCare coverage details
• Release metadata: who released the device, and when

For organizations managing large device fleet or relying on MAC-based access controls, these additions can significantly streamline device auditing, servicing, and reporting.

New APIs for ABM and ASM

Apple is finally opening up ABM and ASM to programmatic interaction with the introduction of ABM/ASM APIs for organizations.

The first release includes endpoints for:

• Fetching device inventory
• Assigning devices to MDM servers
• Checking batch activity statuses

Getting started requires an API account (available to Admins and Site Managers), and the creation of a private API key for integration with custom apps or third-party tools.

This is a long-awaited win for IT automation and systems integration.

Automated device enrollment gets a boost

Apple has expanded support for Automated Device Enrollment (ADE) to include Vision Pro via Apple Configurator for iPhone.

During setup, admins can bring an iPhone near Vision Pro to pair and instantly enroll it into their ABM or ASM instance, just like with iPads or Macs. VisionOS now also supports Setup Assistant skip panes for faster onboarding.

For devices that can’t use ADE, Apple’s account-driven enrollment just got simpler. Instead of configuring a DNS redirect manually, MDM servers can now provide the service discovery URL themselves. If Apple can’t find a DNS entry, it falls back to the MDM-provided URL.

With these changes, organizations can now fully automate enrollment flows for both corporate-owned and BYOD devices.

Streamlining Device Management with Apple’s Automated Device Enrollment (ADE)

MDM server migration, made easy

Switching MDM servers used to mean wiping devices or asking users to jump through hoops. Not anymore.

Apple has introduced device management migration in ABM and ASM, allowing IT teams to reassign devices – iPhones, iPads, and Macs, to a new MDM server without starting from scratch.
Now admins can:

• Set migration deadlines
• Notify users about upcoming changes
• Trigger automatic reassignment when the deadline hits

The new MDM server takes over Activation Lock and rotates FileVault keys securely. IT can preserve apps and data using await device configured, avoiding productivity interruptions.
This is a major improvement for large orgs undergoing MDM transitions.

Declarative management takes the lead

Apple is going all-in on Declarative Device Management (DDM), and the traditional MDM update commands are officially on their way out.

What’s new:

• Now supported across all platforms, including iOS 26, iPadOS 26, macOS Tahoe, tvOS, and visionOS.
• Improved software update control: IT can declaratively configure update deferrals, set enforcement deadlines, and define update windows – all handled directly on the device.
• Status channel reporting: Devices report compliance automatically, reducing the need for server-side polling.

Unlike legacy MDM, DDM allows devices to self-enforce policy, work reliably offline, and scale more efficiently across large fleets.

Heads up: Traditional MDM software update commands are still functional for now but they’re officially marked for deprecation. Migration to DDM is strongly encouraged.

Safari management gets declarative

Safari settings are now fully supported under Declarative Device Management (DDM), bringing more control and consistency to browser configuration.

Here’s what’s new:

• Bookmarks can now be preconfigured and deployed to managed devices.
• Default homepage settings can be enforced, ensuring users always start on the intended site.
• Safari restrictions – previously part of the legacy restrictions payload, have now been consolidated under the DDM schema.

This update brings Safari management in line with other DDM-managed settings, simplifying deployment and reducing configuration overhead for IT admins.

New capabilities in return to service

Previously, when preparing a device for return to service, it was completely wiped clean – all personal data, apps, and settings from the previous user were removed.

Now, with the latest update, iPhone and iPad can preserve managed apps when they are reset. User data is still wiped exactly as before, but the apps remain. This eliminates the need to re-download apps, saving valuable time.

This feature is enabled with a new key in the cloud configuration.

Here’s how it works:

• The device is set to pause after reset and wait for instructions before it’s fully ready.
• While in this paused state, you install the apps you want to keep after the reset.
• The system takes a “snapshot” of the installed apps – like a list of what’s there.
• When the device is reset, it erases user data but keeps the apps from the snapshot.

After the reset, you send a command (like Install Application or Managed App) to regain management of the preserved apps.

And it doesn’t stop there – Return to Service is coming to visionOS as well!

Once configured for return to service, Vision Pro will show a “Reset for Next User” option in Control Center. When tapped, a 10-second countdown begins. You simply remove the headset and set it aside – it will automatically reset after that.

These new updates ensure a super-fast turnaround between users, with no need for IT teams to manually reset or reinstall apps.

Update to app management

The new app management update gives IT teams greater control over how apps are handled on iPhones and iPads. Previously, apps would update automatically, which could be risky for mission-critical apps that need to be tested before updates are applied.

Now, organizations can define update behavior for each app individually. This means IT can choose to enforce or disable automatic updates, or even pin an app to a specific version to ensure stability. The status channel provides real-time updates on app installation progress and version details, helping admins monitor everything more closely.

These enhancements to app management make it easier for organizations to manage apps securely and efficiently across all their devices.

Simplified app management for Mac

Apple is making it easier for IT teams to manage apps on Macs with the upcoming macOS Tahoe update. Here’s what’s new:

• Apps and packages can now be installed using Declarative Device Management.
• IT teams can choose whether an app is required (must be installed) or optional (user can choose).
• A status channel keeps the server updated with the progress of app installations.

Later this year, Apple is also bringing the ManagedAppDistribution framework to Mac. This will allow MDM developers to create self-service app portals, enabling users to install approved apps on their own.

Simplified sign-In with platform SSO

Previously, Platform SSO was set up only after a Mac had already been configured with a local user account. This meant users had to complete the initial setup process before registering with their organization’s identity provider. With the latest update, Apple has streamlined this process by integrating Platform SSO directly into the Setup Assistant during Automated Device Enrollment.

Now, when a Mac is being set up, users are prompted to authenticate with their identity provider right away, and they cannot proceed without completing this step. Once authenticated, the Mac is automatically enrolled in device management, and if the identity provider is federated with Apple, the user is also signed into their Managed Apple ID.

A local account is then created with a password that is either synced with the identity provider or securely set using a Secure Enclave–backed key.

Introducing authenticated guest mode

Apple has introduced a new feature called Authenticated Guest Mode, designed for shared-use Macs in environments like schools, hospitals, and retail. This mode allows users to log in directly from the Mac’s login screen using their cloud identity, such as a work or school account, with authentication via a password or SmartCard. Once logged in, users benefit from Single Sign-On (SSO), giving them instant access to apps and websites. When they log out, all session data is automatically wiped, keeping the device clean for the next user.

The keynote may be over, but the updates are just getting started.

WWDC 2025 has more in store – with upcoming sessions, deeper insights, and exciting new features still to come.

We’ll keep updating this blog as new announcements roll out, so stay tuned!