Note: The Apple Device Enrollment Program (DEP) is now commonly referred to as “Apple Automated Device Enrollment Program (ADE)” and exists as part of Apple Business Manager. While some of this information in this article regarding DEP is still relevant, we suggest that you read the aforementioned linked articles above to learn more.
With the advent of the Apple Worldwide Developer Conference (WWDC), Apple has made public the changes coming in both the latest release of iOS 13 and macOS 10.15 (named “Catalina”). As information is still incomplete and, at times, unspecific, we will be updating this page as we learn more.
An additional note: Though Apple has branched iPadOS off of iOS, for brevity this document uses “iOS” as the OS for iPhone, iPad, and iPod Touch.
DEP: User account setup, SAML Auth
The MDM protocol, in conjunction with the Device Enrollment Program (DEP) has supported configuration options around the initial macOS user setup process for some time. As an example, an admin can decide whether an account can be created interactively by the user. Or whether it receives an administrator or standard user permissions.
Starting with macOS Catalina, MDM can specify the primary account name and username, as well as whether the user is allowed to change it or not. This is a helpful feature for environments that have standardized username formats.
Additionally, devices can now authenticate against a third-party identity provider (IdP) using a protocol such as SAML.
The MDM protocol has been expanded to support setting and retrieving bootstrap tokens for a macOS device. Bootstrap tokens enable mobile accounts to sign in on Macs that are utilizing FileVault. In previous versions of macOS, administrators often needed to build complicated workflows for their users in order to avoid restrictions related to the SecureToken mechanism.
Optionally, the device can be instructed to require a network tether (assumed to be an ethernet connection provided through a dongle connection) in order to complete these operations.
iOS introduces a new management concept referred to as “User Enrollment“. This mode is intended for bring-your-own-device (BYOD) deployments and shifts the usual balance of IT control and user privacy towards the user.
User enrollment relies on the use of Managed Apple IDs. A Managed Apple ID is associated with a device during enrollment. Configurations, apps, and actions that are delivered by MDM are cordoned off from personal data. This protects the privacy of the user while still allowing an organization to use MDM to manage work-related functions on the device.
macOS will include limited support of Managed Apple IDs for the sake of providing the user with access to cloud-based content.
SecureBoot, remote desktop info
The MDM protocol provides informational data about devices such as battery level, current OS version, and whether a device is supervised or not. Starting with iOS 13 and macOS 10.15, two new keys are returned: The secure boot level and the external boot level.
Additionally, the device will state whether a remote desktop is enabled.
macOS activation lock
Like in iOS, macOS will now include activation lock functionality when running on computers with the Apple T2 security chip. An MDM will be able to retrieve and clear a bypass code.
Enterprise eSIM cellular plan updates
Using MDM, administrators will be able to trigger the device to refresh its eSIM plan with a carrier.
A number of new configuration profiles and additions to existing profiles can be found in iOS 10.14 and macOS 10.15.
Apple has added profiles that allow for additional SSO configurations in both iOS and macOS. These profiles associate certain domains, apps, and operations with an SSO provider. The SSO provider is specified as an app, plugin, or URL.
A feature called Associated Domains in macOS allows administrators to link an app to a service such as extensible app SSO, universal links, or password autofill.
iOS app lock can now enable or disable voice control functionality, as well as disallow the user from changing the setting.
Certificates can now be designated as not extractable from the keychain.
An administrator can selectively enable or disable the calendars, contacts, mail, notes, and reminders portions of the account, as well as whether the user is able to override these settings. ActiveSync now supports OAuth as well.
For macOS, an administrator can disable the user’s ability to delete the cache, whether alerts are displayed, and whether the cache is “kept awake”.
For iOS, the device can be restricted to only allow usage of a specified list of SIM cards (based on ICCID).
One of three WIFI Assist policies can also be specified. WIFI Assist is the iOS feature that determines when the cellular network is used in lieu of an available WIFI network due to poor WIFI coverage or service.
The wireless network configuration now allows for explicit configuration of WPA3 networks.
Privacy preferences (TCC)
Privacy preferences in macOS are being expanded to support a number of new privacy keys, including:
Input Devices (like a trackpad or keyboard)
System Policy: Desktop Folder
System Policy: Documents Folder
System Policy: Downloads Folder
System Policy: Network Volumes
System Policy: Removable Volumes
The restrictions profile has added a number of keys that the administrator can disable. These keys are for iOS supervised devices (with the exception of “Device Sleep”):
Continuous Path Keyboard
Device Sleep: Specifically for tvOS, keep the device from sleeping
Find My Device: Remove the feature from the “Find My” app
Find My Friends
WiFi On/Off (referred to in other places as “power modification”)
Administrators can now force macOS devices to automatically install macOS updates and app updates, when available.
In macOS, three dock configuration options have been added:
Double click behavior: Maximize, minimize, or do nothing
Window tabbing: Manual, always, or full screen
Show recent: disallow modification of recently used items
VPN configuration options have been expanded to include a number of new settings, allowing administrators to specify whether local networks and/or all networks are tunneled over the VPN. VPN traffic can also be tunneled at the packet or higher-level application layer.
Further configuration options have been added around certificate settings for certain VPN connection types.
Web content filter
The web content filter configuration now includes settings for a filter data provider. This appears to be for both macOS and iOS.
SimpleMDM is a mobile device management solution that helps IT teams securely update, monitor, and license Apple devices in a matter of minutes — all while staying on top of Apple updates automatically.