What’s new in managing Apple devices

♪ ♪ Patrick: Hi, I'm Patrick, an engineer on the Device Management team. Together with my colleague Jonathan, I'm delighted to share with you the new features we have for managing Apple devices. We love seeing Apple devices being used every day at work and school. Whether this is to teach a subject to a class or enabling and simplifying business workflows. We want to help IT administrators to make it easy for their users to do something great with their devices. In this session we'll be covering many of the new features that will help you to manage and deploy at scale. Many will be covered in this section, but before we dive in, I want to highlight a few other sessions that cover areas where we've additionally made significant improvements.

Managed Apple IDs became more powerful and versatile this year with updates to Continuity, Apple Wallet, and iCloud Keychain. And IT administrators get additional controls to make it easier for their users to sign in to the apps and services they need at work. A Managed Apple ID can also be used in more places to enroll a device while keeping personal and work data separated. And to allow even more organizations to leverage those benefits, we are also adding OpenID Connect support in Apple School Manager and Apple Business Manager. This allows federation with any identity provider supporting this protocol. Be sure to check out session "Do more with Managed Apple IDs" to learn more. With the addition of iCloud Keychain to Managed Apple IDs and new Declarative Device Management configuration options, businesses can now go passwordless with passkeys. Our dedicated session "Deploy passkeys at work" provides more information on that topic. Declarative device management has been significantly enhanced and supports new ways to deploy applications, certificates, and on macOS, even manage common service configuration files. Software Update takes advantage of declarative device management and now allows IT administrators to enforce software updates to specific deadlines with improved user transparency. Watch session "Advances in declarative device management" for in-depth details. And this year, we are expanding device management to Apple Watch. Apple Watch can now be enrolled into MDM, supporting even more institutional use-cases. The session "Discover watchOS management" has more details on how it works and what you can do. For this session we'll focus on how macOS can support organizations to more easily meet their security requirements and how you can use your identity provider in even more places, how iOS and iPadOS are better supporting common use-cases and what's new with cellular networks. Throughout the session we will also discover how Apple Configurator can help to reduce manual steps and increase automation. Let's get started with macOS. To tell you all about it, I'm going to hand over to my colleague Jonathan. Jonathan: Thank you, Patrick. Hi, I'm Jonathan Broskey, an Engineer on the Device Management team. I'm really excited to be here today to tell you about some awesome new device management features in macOS 14. Starting with Automated Device Enrollment. This is a great way to provide a seamless enrollment and setup experience for your users. However, we understand that organizations want to ensure certain security configurations are in place even before the Mac is enrolled and the user logs in for the first time. For example, organizations want to make sure FileVault is turned on, the device is on a specific version of the operating system, and enrolled in MDM. We have some great improvements to the Automated Device Enrollment process this year. Starting with FileVault. macOS 14 allows MDM to require FileVault enablement right during Setup Assistant. IT administrators can chose whether to show the FileVault recovery key during Setup Assistant or optionally escrow it to MDM. Additionally, MDM can require the device to be on a specific operating system version in order to enroll. This ensures that devices are on the necessary OS version before being put into production. The MDM will send a JSON 403 response when the device requests the enrollment profile. If the minimum operating system version is needed, the user will be guided through a process of updating their Mac. Restarts will be performed automatically. Once completed, the Mac returns to Setup Assistant and the user can finish the enrollment and setup process.

Lastly, we have added safeguards to ensure the user completes Automated Device Enrollment once a network connection is established.

Currently, in the case where the Mac is not connected to a network during the initial setup, the MDM enrollment is skipped. A notification will appear requesting to be enrolled. This year, we have changed the entire user experience by launching into a full screen Setup Assistant. After a network is connected, the user will be presented with "Setup Assistant" giving them two options: continuing the enrollment, or "Not Now" which will allow the user eight hours before they will be required to enroll in MDM. Something to note, that user can still enroll at any time by going to System Settings. Now with the changes to macOS 14, the user and the IT administrator can ensure that the data is secure, the device is on the proper operating system, and the device is managed in MDM. We think you're really going to like these new additions to Automated Device Enrollment. Now that the device is configured, and enrolled in MDM, you will need access to your Applications and Websites. User authentication is an important aspect to ensure only authorized individuals get access to their corporate data. However, oftentimes this requires different digital identities. Platform Single Sign-On helps with this. In macOS Ventura, Platform Single Sign-On made it possible to authenticate once with an account from the organization's Identity Provider and get access to all services a user should have access to. This year, we are taking Platform SSO even further with exciting new capabilities that allow users to use their corporate identity in even more places in macOS. System Settings can now show the status of Platform SSO. You can repair your registration or reauthenticate with your Identity Provider. Many organizations that use shared devices also want to create new users at login. Platform SSO now also supports on-demand creation of a local account, when a new user authenticates at the login window using a credential from their organization's Identity Provider. It's enabled by using a shared device key that allows the device to maintain a trusted connection to the Identity Provider independent of a specific user. Certain requirements need to be in place for the local account creation to happen. The Mac needs to be able to connect to the Identity Provider. The device also needs to be at login window with FileVault unlocked. The organization's MDM must support Bootstrap Tokens. If all of those conditions are met, users can use their Identity Provider username and password or SmartCard to create an account. With this new support, SmartCards can now be used to authenticate at the login window and screen saver. After authentication, Identity Provider groups can be used to assign user permissions. The MDM profile can define which access level will be used: standard user permissions, administrator privileges, or permissions defined by the group membership. The same profile can also define how identity provider groups map to local groups on the Mac. With network authorization, we expand the concept of group management to users which do not have a local account and allow them to be used at authorization prompts.

Bear in mind that non-local users cannot be used for authorization prompts specifically asking for the current logged in user, or require a user with SecureToken or ownership rights. Let's look at an example of how this could be configured. In this Extensible SSO profile, Platform SSO group membership is configured in the new Platform SSO dictionary. Group membership is applied to local users when the UserAuthorization mode is Groups. The same groups are also used for network accounts when EnableAuthorization is true. For AdministratorGroups, if the local or non-local user is part of a group listed in this array, they can be used at admin authorization prompts.

AuthorizationGroups are specific groups used to grant access to otherwise restricted rights as defined by the authorization database. In this example, the user gets the ability to modify printer configurations in System Settings, without requiring administrative privileges. An entry in the AdditionalGroups array creates a local group if it doesn't exist and makes it available in the local directory service. In this example, sudo is configured to use this group. Another part of user authentication is password management. I'm excited to touch on a few additions we have made in this area. Securing passwords is essential in a corporate or educational environment. Some environments have more complex password requirements than what can be configured with the existing options. This year we are adding even more flexibility by allowing password policies to be defined as regular expressions. Since regular expressions can be difficult to work with, you should still use existing password policy options whenever possible. We have also added stronger Password Compliance management. For macOS 14, we've changed the way Password compliance is communicated. When a stricter password policy is installed, a notification will be displayed advising that the user's password may not be compliant. The notification will only appear if the password may not meet the installed payload policy. Compliance will be checked during the next time the user logs in, and if the password is not compliant, a notification will be displayed. The user will be given an option to change now or change later. If the user decides to change the password at a later time, the same notification will be shown every time the user logs in until the password is compliant. Now let's take a look at some new restrictions that help secure your Mac even further. Sometimes organizations want to restrict what settings users or administrators can configure on their Mac. In the past, entire System Preference panes were hidden to fulfill this requirement. With the introduction of System Settings, we were able to implement a granular management approach. Instead of hiding entire panes, the administrator can restrict modifications of a specific setting which now shows a label about its management state. Now in macOS 14, new restrictions prevent users from modifying Apple ID Logins and Internet Accounts, adding local user accounts, and many more, like preventing Time Machine Backups. Last year we introduced Managed Device Attestation, a security feature that uses the attestation capabilities of the Secure Enclave. A device provides strong evidence about itself when making a request. Managed Device Attestation means legitimate devices reliably access resources, and attackers are foiled. It does this by providing these assurances about the device. This is a building block that only provides security benefits if the deployment model built around managed devices use attestations properly. Here are some deployment models to consider for your organization. This first model proves the device's identity to the MDM server and does not involve other servers. There is an ACME server integrated into the MDM server, which issues certificates only for MDM purposes. The MDM server also uses DeviceInformation attestation to keep tabs on the device's properties. In this model it is important to use both the ACME attestation and the DeviceInformation attestation to know all about the device it is managing to make sure the security requirements are addressed. The second model puts the most authority on the ACME server. The ACME server performs trust evaluation starting with properties' attestation, and decides whether to issue a certificate or not. The issued certificate can contain whatever your organization needs. Subsequent servers that the device connects to, also known as relying parties, don't need to perform any additional tasks. With the third model, the ACME server doesn't perform trust evaluation. Instead, it simply copies the device properties from the attestation into the issued certificate. It's up to the relying parties to perform their own trust evaluation. Something to note, you can combine concepts from each model to suit your environment. And this year, I am so happy to announce that we've brought Managed Device Attestation to macOS! Just like iOS, it supports all the features of Managed Device attestation. Also on macOS, ACME attestation provisions hardware-bound keys based upon those same reliable device properties. As a reminder, hardware-bound keys are stored in the data protection keychain. These keys can be used with services such as VPN, 802.1x, Kerberos, Exchange, and MDM. For more information on how Managed Device attestation works, please visit last year's WWDC session, "Discover Managed Device Attestation.” We are also adding new properties to the attestation certificate, which include SIP Status, secure boot status, and whether third-party kernel extensions are allowed. We are also adding new properties for all platforms that support Managed Device Attestation. The new attributes will attest: the low-level boot loader version, operating system version, and Software Update Device ID. A new Secure Enclave Enrollment ID property associates the attestation with an enrollment. If two different attestations have the same ID, you have strong evidence that those attestations came from the same device. If the device unenrolls and reenrolls, the IDs change. Different servers can prove they are communicating with the same device by comparing Secure Enclave Enrollment IDs. None of these new properties are device-identifying, so they are available for all enrollment types. We have covered a lot, from Configuration Profile Updates to New Restrictions, but there's even more management updates to discover. Now, let's take a look at the enhancements we have made to Application management.

Applications installed via MDM have been supported for years. macOS Big Sur introduced managed applications which support configuration and feedback, automatic removal on unenrollement, and the ability to remove the application via MDM. Previously, for an application to be manageable, the package must contain a single application that is installed into /Applications. With macOS 14, we are expanding that functionality of the InstallApplication command to allow the package to install multiple Applications. Any application the package installs into /Applications will be considered managed, and can be removed individually via MDM. Something to note, content installed outside of /Applications will not be tracked, so we strongly recommend using self-contained applications. Wow, we have covered a lot of awesome macOS updates, I am now going to hand it over to Patrick to talk to you about some enhancements coming to iOS and iPadOS. Take it away, Patrick.

Patrick: Thank you, Jonathan. I'm delighted to cover some exciting enhancements we have made to managing iOS and iPadOS devices. In many deployments, devices are handed from one user to the next on a fairly frequent basis. Although devices can be erased remotely, getting them back into service is a manual process, as it requires someone to physically touch them and take them through Setup Assistant. This year we are removing the additional manual step with the introduction of Return to Service for iOS and iPadOS. This is how it works: The MDM server sends an Erase command to the device. The command includes additional information which allows the device to reset, securely erase all data, connect to Wi-Fi, enroll into MDM, and get back to the Home Screen, ready to be used. To implement this behavior, an additional dictionary can be added to the EraseDevice command. This dictionary needs to include the profile of a Wi-Fi configuration to allow the device to connect to, once erased. As an alternative, the device can also connect to the Internet by different means, like a tethered connection. Secondly, the dictionary should include a profile with the necessary enrollment information. In case the device is registered in Apple School Manager or Apple Business Manager, this profile can be omitted, which triggers the device to check for an enrollment profile during activation. As part of the process, the previously selected language and region get applied.

I now want to touch on a couple of enhancements which we think will be specifically relevant for educational organizations. Getting a class started can be a stressful process for the teacher. They have to ensure everyone's signed in and ready to go. This is even more challenging for larger classes. To make the process of signing in easier and quicker, we are introducing easy student sign-in.

To initiate the sign-in flow, the teacher needs to be signed into their managed Apple ID. Additionally, the student needs to have their iPad open to the iCloud sign-in view within Settings. iPads are brought close to each other and the teacher's iPad opens up a sign-in proximity card. The teacher taps on "Continue to Sign In Student." The proximity card transitions to a camera scan on the teacher's iPad and the view on the student's iPad changes to a particle cloud. The teacher then scans the particle cloud. The teacher continues on to the student selection process. The teacher can either select a class to see the current student roster, or, they can instead use the search bar to look up a student they had in mind. In this illustration, the teacher taps on the "Mathematics" class. A list of students in the selected class is appropriately shown. The teacher then subsequently selects Allison to sign in to the student iPad. After the iPad is set up, the teacher gets a successful confirmation and the student iPad is signed in successfully. To use the streamlined login process, multiple prerequisites need to be in place. First, the teacher and student need to be part of the same Apple School Manager location. Second, both devices need to be in physical proximity of each other. And lastly, if the students are using personal devices, they first need to authorize the teacher in a new prompt to enable this functionality. We have also made it easier to log into a Shared iPad. With the new AwaitUserConfiguration, an MDM solution can keep the device in the login process after user authentication until all necessary configurations have been applied. This is similar to a process already available on devices using Automated Device Enrollment and does require for the MDM server to release the device from this state via a specific MDM command. To streamline the login flow even further, MDM solutions can make use of the new 'SkipLanguageAndLocaleSetupForNewUsers' key which prevents the device from showing the respective selection screens during the first log on, and instead applies the system defaults. In case a Shared iPad is used by temporary users only, the device now honors the quota configuration for this temporary user. This allows IT administrators to reserve sufficient space to assign new apps and content while a user is logged in. Now we shift gears and are going to look at another key element of many iPhone and iPad deployments: cellular connectivity. We know that many organizations are looking forward to leverage the great new capabilities that private 5G and LTE networks have to offer. Common use cases include providing network connectivity in large areas where Wi-Fi may not be available or feasible. Since last year, iPad devices have supported private LTE and non-standalone 5G networks with the ability to install eSIMs through device management. We are adding the same features to 5G-capable iPhone models and on both platforms, the ability to connect to private standalone 5G networks. Searching and associating with a private network requires an active SIM and can be an energy consuming task. Specifically, when the network is not available. Thanks to our tight integration of hardware and software, we were able to create a power efficient method to enable the SIM only when needed. This allows organizations to define a set of geolocations that the device monitors, and if it enters one of them, only then will the SIM of the private network get activated. Based on network quality measurements, iPhone and iPad devices intelligently select the best cellular SIM for data connectivity. As an optional value, an organization can also define that a device prefers the private network even over a potentially available Wi-Fi network. We are also adding 5G network slicing support. This allows individual managed apps to be assigned to a network slice which may provide specific network capabilities and characteristics to optimize the app experience. The assignment is done using the new CellularSliceUUID app attribute in either the MDM app installation command or declarative app configuration. The string value of the network slice to put into the key needs to be provided by the supporting carrier. Something to note is that 5G network slicing will not be used if either the specific app or the entire device is configured to use a VPN. To conclude our updates on connectivity, I'm excited to make you aware of a new way to provide secure access to enterprise network resources: relays. Relays are secure proxies that are natively supported on iOS, iPadOS, macOS, and tvOS. If you're using a VPN to access your enterprise resources, relays are an alternative that can provide a better user experience and are easier to manage. Relays can be configured by an MDM with a new profile payload type, without needing to install an app, or can be configured using the NERelayManager API in the NetworkExtension framework. These configurations can apply to managed apps, domains, or the entire device, and can be used in conjunction with iCloud Private Relay to enhance user privacy while accessing enterprise resources. To learn more about this great new built-in way to secure your traffic, please watch session "Ready, set, relay: Protect app traffic with network relays." There are many more new configuration possibilities like requiring a minimum version during automated device enrollment. In addition to the ones common with macOS, there are also some platform-specific enhancements like configuring 802.1X authentication for ethernet networks on iOS, iPadOS, and even tvOS and allowing tap-to-pay applications to be used more easily and securely. Just as a reminder, in a future release, we will execute on previously announced deprecations. We will remove the APN payload, as well as top-level cellular keys from the DeviceInformation query. Please use the com.apple.cellular payload and ServiceSubscriptions response instead. Again, in a future release we will also change the listed restrictions to require supervision. In addition, some will only apply to a personal Apple ID logged in on the device. There is even more I haven't had a chance to talk about, like added VPN support on Apple TV. Please be sure to check out the documentation for all the details. We additionally have exciting news about Apple Configurator for iPhone. Since its introduction, Apple Configurator for iPhone has been used by many IT administrators to add devices to their Apple School Manager or Apple Business Manager organizations. Adding a device is a two-step process. First, the device needs to be added to the organization.

Secondly, a user with the role of Device Enrollment Manager needs to sign in to the web portal and assign the device to the correct MDM server. This year, we are allowing users to automatically assign each device to an MDM server right in Apple Configurator. The user has three options to choose from for assigning devices; don't assign to an MDM server, assign to the default MDM server configured for its type, for example Mac or iPad, or assign to one of the organization's MDM servers. The list of available MDM servers is provided automatically after the user signs in with their Managed Apple ID. Let's take a look at Apple Configurator for Mac as well. It's a great tool for configuring iOS and iPadOS devices and helps perform actions on multiple tethered devices at once. This year we are making those workflows even more automated with the addition of Shortcut actions. Using Shortcuts, IT administrators can build powerful custom shortcuts with Apple Configurator's actions. We are adding Shortcut actions to update, restore, erase, and prepare iPhone and iPad devices. Shortcuts can be triggered to run when a device attaches or detaches. If you combine those additions with actions an MDM provides, you will have a very powerful automation toolbox. Let's look at an example of a simple shortcut that leverages Apple Configurator actions. Here, we see a basic shortcut for provisioning an iPad. First, we reset the device and install the latest version of iPadOS. The device then uses Automated Device Enrollment to enroll in MDM and can take the device completely through Setup Assistant, eventually landing it on the Home Screen. Because the Mac is sharing its internet connection and has content caching enabled, commands are received from the MDM server and apps begin to install quickly. Once done, the shortcut updates the MDM server with the asset tag number from a separate csv file. Once you perfect your shortcut, you can use new Shortcuts settings in Apple Configurator to run it every time you attach or detach a device. If you're an MDM developer, we think it's important to provide easy integration with Shortcuts. Your customers will want to easily interact with your MDM server to send commands from your product to the device. They will also want to send information, like an asset tag number, back to your product to update a device's information. We can't wait to see what you will do with the new possibilities! This concludes our updates on iOS and iPadOS. We've covered many enhancements during this session, so let's take a moment to recap. As Jonathan has mentioned, macOS provides new options to organizations to ensure devices are in the desired state. We also covered great new ways to create and manage local user accounts based on your identity system. Managed Device Attestation comes to the Mac and gets additional attributes on all supported platforms. And for iOS we have looked at an easy way to put a device back into service and great enhancements to classroom setups and Shared iPad. We also spoke about increased support of private cellular networks on both iPhone and iPad. We additionally looked at how Apple Configurator streamlines the process of registering devices, and its new options to create powerful automations. We can't wait for you to use the great new management capabilities, and we look forward to your feedback. Thank you very much for joining us. ♪ ♪