What’s new in device management

Hello! I’m Mike, an engineering manager on the Device Management team. I’m excited to share what’s new this year for managing Apple devices. At Apple, our mission is to create products that enrich people’s lives, and we view our work in education and enterprise as integral to that goal. Apple devices are used in schools and offices across the globe to empower learning and productivity with users of all ages.

We want to enable IT administrators to make it easy for their users to do something great with their devices. In this session we’ll be covering the new features for IT to help them deploy and manage Apple devices, and how developers can implement these updates in their MDM and Identity solutions. First, we’ll cover what’s new in Apple Business Manager and Apple School Manager, followed by management updates to Apple platforms. And, finally enhancements to education-specific tools. Let’s begin with Apple Business Manager and Apple School Manager.

These free web-based portals for IT administrators work in conjunction with third-party MDM solutions to easily deploy devices, view inventory, purchase apps in volume, and manage user accounts. Let’s start with Deployment.

With Automated Device Enrollment, IT teams can ship devices directly to users, enroll them into MDM, customize the setup experience, and ensure they are ready to be managed, all without having to physically touch devices.

Automated Device Enrollment is available for Mac, iPhone, iPad, and Apple TV, and, this year we are excited to share that it’s coming to our newest device, Apple Vision Pro! With visionOS 2.0, IT teams will be able to automatically enroll Apple Vision Pro into MDM within the Setup Assistant, just like other Apple devices today. Organizations that have purchased Vision Pro, and associated them with their Apple Customer Number, will have access to them in Apple Business Manager and Apple School Manager.

The Device Assignment API Collection now includes values for Vision Pro. We’ll cover more details about Vision Pro later in the session. There are other updates to Automated Device Enrollment that will continue making it easier for IT teams to deploy Apple devices.

Automated Device Enrollment on macOS 15 will now support WebAuthN for web authentication. Public key cryptography simplifies and secures enrollment customization with ASWebAuthenticationSession, providing support for security keys and Passkeys, ideal for organizations in highly regulated industries.

Finally, as always, check the documentation for information on new and expanded Setup Assistant skip keys. For example, the iOS Welcome key now also applies to macOS. Also take note that the SkipSetupItems array in the Setup Assistant payload is now honored on macOS.

Apple Business Manager and Apple School Manager provide a central place to view all organization-owned devices.

Let’s take a look at what’s new in Devices.

This screen provides a holistic view of the devices your organizations owns. Here we can see an Apple Vision Pro listed in the device list, and Apple Watch Both Apple Vision Pro and Apple Watch can be automatically added to an organization at the time of purchase. Apple Watch MDM enrollment takes place during the pairing process, but there are other management features in Apple Business Manager and Apple School Manager available to organization-owned devices, such as ActivationLock. We set out to solve a common issue that we hear from IT teams everywhere. When a device is wiped or locked, Activation Lock can prevent unauthorized users from using that device.

But in some cases, Activation Lock is left on unintentionally, which means that device cannot be re-provisioned.

In Apple Business Manager and Apple School Manager, Activation Lock can now be turned off for organization-owned devices! Administrators can simply select the device, open the menu, and select Turn Off Activation Lock.

This will be available for iPhone, iPad, Mac, Apple Watch and Vision Pro, as long as the devices are in your organization.

And, this will be available for both organization and user Activation Lock. Specifically for the Mac, this means an organization can turn off Activation Lock even if the user enabled Activation Lock using their personal Apple Account before the Mac was enrolled in MDM! Those are some great updates for deployment and devices in Apple Business Manager and Apple School Manager, and next, we’ll talk about Identity. Managed Apple Accounts are a special type of Apple Account designed specifically for use in an organization, like a business or a school. They allow an organization to own both the account and the data within it, and are a key component for any deployment.

Last year we introduced significant updates to Managed Apple Accounts by bringing iCloud support to a wide range of Apple apps and services, including Continuity, Developer, and Passkeys. We believe that all organizations should adopt Managed Apple Accounts, and we are making it even easier to get started by streamlining the domain capture process, and providing more options to ensure all accounts are using your organization’s domain.

Today, when an organization wants to create new Managed Apple Accounts on their domain, they need to verify their domain. However, personal Apple Accounts can still use this domain and not be managed, unless connected to an Identity Provider, which allows blocking of new, and capturing of existing, unmanaged accounts on your domain.

New this year, IT admins will have the ability to limit new Apple Accounts created on their domain to only be Managed Apple Accounts. And for organizations that want to ensure they can manage and own all Apple Accounts using their domain, admins will now be able to capture Apple Accounts that use their organization’s domain without needing to connect to an Identity Provider.

When an organization initiates the process to capture Apple Accounts using their domain today, users are asked to choose a different email address. And while this frees up the account name to be reused, we know that many accounts were created just for work, even before Managed Apple Accounts were available. So this year, users will also have the option to convert their existing account into a Managed Apple Account. This will automatically add the account to the organization in Apple Business Manager and Apple School Manager. If they don’t take action after 30 days, the account will remain a personal account and will be renamed automatically.

Apple Business Manager and Apple School Manager are critical tools for organizations, and these features will make it easier for IT teams to manage their organization’s devices and start using Managed Apple Accounts. These same features will also be available to Apple Business Essentials customers. Next, let’s take a look at what’s new for the devices you manage. A common task across all platforms is managing software updates.

Keeping devices up to date is an essential component of managing devices in an organizational environment.

Last year, we announced the ability to enforce updates by a specific date and time. This year we’re introducing a new software update settings configuration, which will replace all legacy MDM software update management commands, profiles, and restrictions. This declaration can be used on supervised devices with iOS and iPadOS 18, and macOS 15, or later, to manage all aspects of software updates, and includes new features. Including a way to change notification behavior to show notifications only one hour before enforcement times and the restart countdown, and management of beta updates.

It’s now easier than ever to manage public or AppleSeed for IT beta program participation in an organization.

The first step is that a user with the role of administrator in Apple School Manager or Apple Business Manager enrolls into AppleSeed for IT at beta.apple.com/it.

Devices can be added to the beta program at any time using an organization token. The user does not need to be signed in to Settings with an Apple Account.

Similar to software updates and upgrades, beta releases provided by those programs can be enforced and deferred on supervised devices.

And a declarative status report provides increased visibility and allows organizations to track beta program enrollments on managed devices.

Let's take a look at how a token is generated and retrieved. First, a user with the role of administrator in Apple School Manager or Apple Business Manager enrolls at beta.apple.com/it. Next, a unique token is generated for that organization and seeding period.

To retrieve the tokens, the MDM checks the OS beta enrollment tokens endpoint to discover available programs.

Similar to other service endpoints, MDM solutions must authenticate using OAuth.

And finally, the program tokens are returned to Apple Business Manager and Apple School Manager, and then to the MDM.

After enrolling a device into management, an MDM solution can use those tokens to offer, enroll, unenroll, and block supervised iPhone and iPad devices from beta programs using the Beta dictionary in the new software update declaration.

Additionally, the beta program can be set during Automated Device Enrollment in Setup Assistant starting with iOS and iPadOS 17.5 and macOS 14.5. During enrollment, the MDM solution can return an HTTP response with the 403 status code to enforce a specific beta version, and include a JSON or XML object in the response body.

The body of the response can include the RequireBetaProgram dictionary, which must contain the following keys to set the beta program: Description, which is a description of the beta program, and the Token.

After the device enrolls in the beta program, subsequent beta updates will be available.

Using the available configuration options, an organization can remotely enroll different devices into different beta programs, and combined with the option to defer beta and production releases, can be used to implement a phased testing and rollout approach, starting right with the first beta release. Extensive details are provided for software update management in the new software update documentation. It can be downloaded from AppleSeed for IT.

Next, let’s explore what’s new in Safari management. Safari is the best browser for Apple devices, offering industry-leading speed and long-lasting battery life. And this year we’re making it even easier for IT professionals to manage what their users do with the app.

I’m excited to share that Safari extensions can now be managed on iOS, iPadOS, and macOS. With the new Safari extension configuration, you can: Define which extensions are allowed, giving users the ability to turn them on or off; Control whether an extension is always on or always off, letting IT admins choose what’s needed for their fleet; Configure extension website access by domain and sub-domain, and, all of this also works with Safari Private Browsing! And, or course, Safari provides users with a visual indication as to which extensions are managed.

Next, let’s take a look at Apple Vision Pro.

Vision Pro seamlessly blends digital content with the physical world, and brings game-changing capabilities to enterprise and education.

We’re already seeing enterprise use cases emerge across Everyday Productivity, Collaborative Design, Simulation and Training, and Guided Work. For developers, check out the "Introducing enterprise APIs for visionOS" session, to learn more about how we are enabling even more use cases for enterprise customers.

To support deployment at scale, we brought MDM to Vision Pro earlier this year with visionOS 1.1 For IT teams, it’s best to think of managing Vision Pro the same way they currently manage iPhone and iPad, as it uses the same familiar device management and infrastructure that IT uses today.

visionOS 1.1 supports two types of enrollments: Device Enrollment and User Enrollment. For both enrollment types, users simply sign in with their Managed Apple Account.

Within the Settings app, users navigate to General > VPN & Device Management, and select Sign In to Work or School Account.

Management functions and capabilities are transparent to the user, showing them what IT has configured for their device. Using either Device Enrollment or User Enrollment with a Managed Apple Account also enables data separation in iCloud Drive, Notes, Reminders, and more.

Here’s an example of data separation within iCloud Drive. The user’s personal iCloud Drive appears next to their corporate iCloud Drive, which is associated with their Managed Apple Account. Personal data, like text messages and photos always remain private even on organization-owned devices.

And, as we mentioned earlier, visionOS 2.0 adds a third enrollment type.

For organization-owned devices, Automated Device Enrollment can now be used for zero-touch deployments. Just like iPhone and iPad, this also enables supervision.

During Setup Assistant, the user sees the new Remote Management screen. This screen explains the device is owned by the organization, and prompts the user to complete MDM enrollment.

After enrollment, IT teams can configure settings and also deploy apps. The same app deployment process for iPhone and iPad can be used to deploy apps directly to devices and ensure they are managed. And for MDM developers, the Apps and Books for Organizations API now includes information about an app’s compatibility with visionOS.

Beyond Automated Device Enrollment, we are greatly expanding management capabilities for Vision Pro this year with new configurations and payloads, new MDM commands and quite a few new restrictions.

visionOS 2.0 now supports most configurations and payloads, including the Passcode policy, Domains, and Web Content Filter payloads, plus, many new MDM commands like DeviceConfigured, DeviceLock, and various Settings sub-commands, and finally, the most popular and relevant restrictions, most of which work similarly to iOS and iPadOS, including Managed Open-In restrictions, Account modification, And allowCamera, which needed a bit of reimagining for a device as camera centric as Vision Pro. For example, when a user takes a screenshot, the background is removed and only active windows are captured.

With visionOS 2.0, we have extended management for Apple Vision Pro to support most of the MDM payloads, configurations, and commands. Managing a Vision Pro is as easy as managing an iPhone or iPad. Next, let’s talk about Mac.

Last year we added support for installing service configuration files, such as sudo, PAM, and SSH. And we encouraged the community to use that facility for their own configuration files. This year we’re adding support for executable files in service configuration files, giving admins the ability to install IT management tools and other scripts in a tamper-resistant location all delivered in the same zip archive format.

In addition, launchd configuration files can now also be installed using the background task services configuration providing an easy way for IT to create and control background tasks which also get stored in a secure and tamper resistant location.

For regulated industries, we understand being able to control what external data sources can be used on Mac computers is critical.

And this year we’re excited to introduce a new disk management configuration that allows IT admins to manage external and network storage. IT admins can choose whether external or network storage is allowed or disallowed all together, or even chose whether to limit mounting to read-only volumes.

This new configuration replaces the previously deprecated media management payload, which will be removed in a future release.

With Platform Single Sign-on or Platform SSO, developers can build SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider or IdP.

This year expands on the capabilities of Platform SSO so you can leverage information from your identity provider in even more places. Identity provider authentication can now unlock FileVault. Login policies can now require IdP authentication across FileVault, login window, and lock screen. And stronger security options have been added, including HPKE. Let’s take a quick look at an example configuration.

Here you can see that the FileVault policy is set for the FileVault login screen to AttemptAuthentication. In this case, IdP authentication is attempted before proceeding. However, if the server is unavailable, and the user-provided credential is correct, the user will still be able to login. For the UnlockPolicy, which controls unlocking from screensaver, RequireAuthentication is set. That makes login from the screensaver more restrictive. A valid IdP authentication is required before proceeding, with a few specified exceptions.

Here, AllowOfflineGracePeriod is set, so if the device is offline, the OfflineGracePeriod is used to determine whether the user may proceed with a valid credential.

We also see that AllowTouchIDOrWatchForUnlock is set, which means biometrics and Watch are allowed to unlock the screensaver in lieu of IdP authentication.

Finally, just a quick note that the Profiles section has been renamed to Device Management and has been moved under General, bringing more parity with iPhone and iPad. You’ll now also find the Login Items and Extensions section in General as well. Now, let’s take a look at updates for iPhone and iPad.

We have various cellular-related improvements. We added two new restrictions that can prevent eSIM deletion. First, force preserve eSIM on erase prevents an eSIM from being removed when a device is erased locally by the user. And second, allow eSIM outgoing transfers controls whether eSIM can be transferred to a newly setup device. Users can now touch and hold a QR code, or click on a link, to set up eSIM on a device they’re setting up, making it easier than ever for users to configure their own devices. If network slicing and per-app VPN are both configured for an app, all traffic coming from the managed app will be routed to the 5G network slice identified, while still providing the benefits of using VPN And iOS and iPadOS 18 will support multiple Private Cellular Network payloads, enabling configuration for up to five private 5G or LTE networks.

iOS and iPadOS 18 provide new controls that allow users to lock apps by requiring Face ID, Touch ID, or a passcode, and allow users to hide apps from the home screen. Organizations will be able to manage user’s ability to use the controls in two ways: Organizations can restrict locking and hiding for all apps on supervised devices, and, locking and hiding can be controlled, on a per-app basis, for managed apps.

Note that hiding an app also locks it, so restricting the ability to lock an app will also restrict hiding it.

On device enrollments, hidden apps are still visible to MDM. And on user enrollments, hidden managed apps are still visible to MDM.

Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as home or work, by forcing a security delay of one hour to prevent a thief from performing critical operations on your iPhone, such as: Enrolling in MDM, manually adding an Exchange account, and manually installing passcode declarations, or Exchange payloads. In iOS 18, we’ve added a special exception that enrolling in MDM, on a newly set up device without any familiar locations, will not cause a security delay for the first 3 hours after Stolen Device Protection is enabled.

Beginning in iOS and iPadOS 18, installing proprietary, in-house apps using a new team identity will require a restart in addition to trusting the identity in Settings. This requirement only applies to in-house apps installed without the use of MDM.

Each new team ID requires a single device restart.

Any team identities that were trusted before upgrading to iOS and iPadOS 18 will be migrated, so a restart won’t be required if the app using that identity remains installed. We covered a lot, but there are even more platform changes like restrictions for iPhone Mirroring, FaceTime Remote Control, and more. So please be sure to check the developer documentation for more information. Now let’s take a look at some enhancements specifically designed for education.

With Easy Student Sign-In, teachers signed into an iPad with their Managed Apple Account can use that device to quickly sign students into their devices. Now, with iPadOS 17.4 and macOS 14.4, we have introduced a new feature that allows teachers using Managed Apple Accounts to use Classroom with any nearby iPad and Mac devices regardless of account status.

Both Easy Student Sign-in and Unmanaged Nearby Classes in Classroom, are now available in Access Management in Apple School Manager, so administrators can control these features in their institution.

Schoolwork is an iPad app that helps teachers save time, identify trends, view progress, and maximize each student’s potential. Using Schoolwork, teachers can create and send assignments, class announcements, or study reminders. And now, with Schoolwork 3.0, we are introducing new assessment and scoring workflows.

With iPadOS 17.5 and later, teachers can now send assessments by scanning or importing their existing documents. This includes Pages, Numbers, Keynotes, Google Suite documents, and PDFs.

Teachers will also be able to score documents, and have the ability to analyze student performance per question.

These new assessment and scoring features will help teachers use analytics, identify trends, and create personalized learning experiences for students.

Finally, Assessment Mode allows developers to configure their apps to disable certain hardware and software features at launch to create a secure testing environment. As of iPadOS 17.6, we’re now excited to bring Multi-App Mode for iPad.

This includes secondary apps such as note pads, spreadsheets, assistive apps, coding apps, and, of course, the new Calculator app for iPad. To make sure that the new Calculator app can be customized for classrooms and is test-ready for standardized and high-stakes exams, we’ve built in configuration for Assessment Mode and MDM, such as the ability to turn off Scientific mode or Math Notes. Those are just a few education updates, so please be sure to check the developer documentation and open source schema for more information.

Now let's wrap-up.

We’ve made some big improvements to domain capture in Apple Business Manager and Apple School Manager to make it easier than ever to deploy Managed Apple Accounts in your organization.

New Activation Lock features make it easier than ever to recover organization devices that have had Activation Lock inadvertently left on, whether enabled by the MDM or the user.

Using the new software update controls, you can implement a phased rollout starting right from the very first beta.

IT teams now have the ability to manage and enable Safari extensions directly from MDM, so you can customize Safari for your organization right out of the box.

And, updates in visionOS 2.0 bring the most important MDM commands, payloads, declarations, and restrictions to Apple Vision Pro. Thank you for watching! And have a great WWDC!