New MDM Features in Apple macOS 10.14, iOS & tvOS 12

Last updated April 19, 2019

Update 8/23/18 – Added privacy preferences, setup assistant, notifications, and restrictions updates.
Update 7/31/18 – Added link to InstallEnterpriseApplication article.
Updated 7/3/18 – Added macOS device lock message.
Updated 6/19/18 – Added DEP, Dock notes. Clarified Proximity setup.
Updated 6/18/18 – Added S/MIME & Contacts API information

At the Apple Worldwide Developer Conference this past week, Apple shared new features to expect in iOS 12, macOS 10.14, and tvOS 12. This article focuses specifically on the mobile device management (MDM) features that are to be released.

We will be updating this document as as information becomes available leading up to the release of these new OS versions. Since details are sometimes thin, we’ve provided our best interpretation of the information available.

We suggest bookmarking this page and checking back often.

iOS 12 Updates

Restrictions

The restrictions payload will add support for enabling or disabling the following:

• Password auto-fill. A “require authentication before auto-fill” option will also be available.
• Password sharing
• Proximity setup. Prevent sharing WiFi passwords with “nearby devices” and Safari passwords with AirDrop.
• USB restricted mode. Alternatively, USB accessories can be allowed while a device is locked.
• Remote pairing. A whitelist of allowed devices can be specified.
• Critical alerts. These alerts are shown regardless of Do Not Disturb mode and integrate with CarPlay, where possible.
• Automatic day and time. The administrator can force this to be enabled. Requires supervision.
• Managed Open In for Contacts. Restrict managed apps to only be able to read from managed Contacts. Conversely, restrict unmanaged apps from reading managed Contacts. Requires supervision.

Additionally, automatic date and time can be forcefully enabled without the option to disable.

Email / Exchange

Exchange accounts utilizing OAuth will be configurable by MDM. Administrators will be able to optionally allow users to override admin-specified S/MIME settings for mail and Exchange accounts.

iOS will also allow administrators to:

• Enable/disable signing
• Enable/disable encryption by default
• Block signing certificate selection
• Block encryption certificate selection

Managed OS Updates

iOS and macOS will allow the administrator to specify a specific OS version for a device to update to. Previously, an OS version could not be specified.

Managed Open-In

Apple is expanding the functionality of managed open-in, a security feature used to restrict file transfers between managed and unmanaged apps. For one, the Contacts API, which apps use to access information in the Contacts database, will respect the managed open-in restrictions. No further specifics have been provided at this time.

Notifications

Administrators will be able to specify how notifications should be grouped together in the UI. For instance, notifications can be configured to group by app, by an automatic setting that allows the app to decide, or not at all.

Additionally, notifications can be disabled while in CarPlay mode.

macOS 10.14 Updates

Restrictions, Email, OS Updates shared with iOS

Like iOS, MacOS will include support for the password auto-fill and password sharing restriction options. macOS will also support OAuth Exchange account setup and the ability to specify a version number for managed OS updates.

Device Enrollment

The macOS enrollment and setup assistant process is simplified to match the iOS enrollment process.

Software Package Installations

A new mechanism for installing macOS packages using MDM, named “InstallEnterpriseApplication”, will become available. Notably, it will allow MDM vendors to provide more security around the package delivery process. Read about this feature in depth: Explained: InstallEnterpriseApplication MDM Command.

Dock Payload

Administrators can enabled or disable “Show recents in Dock” and block the user from changing this setting.

Device Lock

A message can optionally be specified to display when a device is locked.

Privacy Preferences

Administrators may control the settings are are displayed in the “Privacy” tab of the “Security & Privacy” pane in System Preferences.

Setup Assistant

MacOS 10.14 introduces Dark Mode, and as a result, adds an additional configuration screen to the Setup Assistant that allows users to enable it. The DEP & MDM protocol have been extended to allow administrators to skip this screen for their deployment.

tvOS 12 Updates

VPP App Management and OS Updates

Starting in tvOS 12, tvOS apps can be managed using MDM in conjunction with an Apple VPP account. Additionally, tvOS will add support for managed OS updates.

Restrictions and Configurations

tvOS will add support for restrictions and configurations currently found in iOS. Specifically:

• Home screen layouts
• Restrictions that include AirPlay settings and media content ratings and restrictions.
• A whitelist of iOS devices that can run the TV remote app for a given device.
• A whitelist of devices that can pair remotely.

DEP Updates

Administrators will be able to configure devices to skip the “Choose Your Look” setup assistant screen.

Apple Business Manager

On a tangental note, Apple has also released Apple Business Manager ahead of the their OS software updates. In a nutshell, Apple Business Manager unifies the Apple DEP and VPP portals and adds additional Apple business functionalities. We’ve covered the specifics in our article What is Apple Business Manager?

What’d We Miss?

If we’re missing something, tell us about it in the comments below. We’ll add it to the article and give you credit.