Update 8/23/18: Added privacy preferences, setup assistant, notifications, and restrictions updates.
At the Apple Worldwide Developer Conference, Apple shared new features to expect in iOS 12, macOS 10.14, and tvOS 12. This article focuses specifically on the mobile device management (MDM) features that are to be released.
We will be updating this document as as information becomes available leading up to the release of these new OS versions. Since details are sometimes thin, we’ve provided our best interpretation of the information available.
We suggest bookmarking this page and checking back often.
The restrictions payload will add support for enabling or disabling the following:
Password auto-fill: A “require authentication before auto-fill” option will also be available.
Proximity setup: Prevent sharing WiFi passwords with “nearby devices” and Safari passwords with AirDrop.
USB restricted mode: Alternatively, USB accessories can be allowed while a device is locked.
Remote pairing: A whitelist of allowed devices can be specified.
Critical alerts: These alerts are shown regardless of Do Not Disturb mode and integrate with CarPlay, where possible.
Automatic day and time: The administrator can force this to be enabled. Requires supervision.
Managed Open In for Contacts. Restrict managed apps to only be able to read from managed Contacts. Conversely, restrict unmanaged apps from reading managed Contacts. Requires supervision.
Additionally, automatic date and time can be forcefully enabled without the option to disable.
Exchange accounts utilizing OAuth will be configurable by MDM. Administrators will be able to optionally allow users to override admin-specified S/MIME settings for mail and Exchange accounts.
iOS will also allow administrators to:
Enable/disable encryption by default
Block signing certificate selection
Block encryption certificate selection
iOS and macOS will allow the administrator to specify a specific OS version for a device to update to. Previously, an OS version could not be specified.
Apple is expanding the functionality of managed open-in, a security feature used to restrict file transfers between managed and unmanaged apps. For one, the Contacts API, which apps use to access information in the Contacts database, will respect the managed open-in restrictions. No further specifics have been provided at this time.
Administrators will be able to specify how notifications should be grouped together in the UI. For instance, notifications can be configured to group by app, by an automatic setting that allows the app to decide, or not at all.
Additionally, notifications can be disabled while in CarPlay mode.
Like iOS, macOS will include support for the password auto-fill and password sharing restriction options. macOS will also support OAuth Exchange account setup and the ability to specify a version number for managed OS updates.
The macOS enrollment and setup assistant process is simplified to match the iOS enrollment process.
A new mechanism for installing macOS packages using MDM, named “InstallEnterpriseApplication”, will become available. Notably, it will allow MDM vendors to provide more security around the package delivery process.
Administrators can enabled or disable “Show recents in Dock” and block the user from changing this setting.
A message can optionally be specified to display when a device is locked.
Administrators may control the settings are are displayed in the “Privacy” tab of the “Security & Privacy” pane in System Preferences.
MacOS 10.14 introduces Dark Mode, and as a result, adds an additional configuration screen to the Setup Assistant that allows users to enable it. The DEP & MDM protocol have been extended to allow administrators to skip this screen for their deployment.
Starting in tvOS 12, tvOS apps can be managed using MDM in conjunction with an Apple VPP account. Additionally, tvOS will add support for managed OS updates.
tvOS will add support for restrictions and configurations currently found in iOS. Specifically:
Home screen layouts
Restrictions that include AirPlay settings and media content ratings and restrictions.
A whitelist of iOS devices that can run the TV remote app for a given device.
A whitelist of devices that can pair remotely.
Administrators will be able to configure devices to skip the “Choose Your Look” setup assistant screen.
On a tangential note, Apple has also released Apple Business Manager ahead of the their OS software updates. In a nutshell, Apple Business Manager unifies the Apple DEP and VPP portals and adds additional Apple business functionalities.
SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in a matter of minutes — all while staying on top of Apple updates automatically.