The Apple Worldwide Developer Conference (WWDC) started this week, and Apple has made public the changes coming in both the latest release of iOS 14 and macOS 11 (named “Big Sur”).
True app “management” for macOS
Current app management in macOS is a far cry from the experience in iOS. For instance, an app can be installed via MDM in macOS today, however there is no mechanism for marking that app as managed or for uninstalling it. Apple indicates that, as of macOS 11, the app management experience will be much more similar to what it is in iOS today.
Apple also indicates that macOS apps can also now include configurations, much as iOS apps can include managed application configurations.
Lights out management for Mac Pro
macOS 11 will include a plethora of information and control MDM commands for managing lights-out devices (LOM). Presumably, Apple will include LOM functionality embedded in the hardware of new Mac Pro computers, allowing administrators to initiate remote power-on, restarts, and other out-of-band management activities.
To use LOM, administrators will need to deploy a dedicated macOS machine local to the Mac Pros that are to be managed. LOM will then be available for the Mac Pros via MDM.
Automated enrollment improvements
tvOS has supported a feature called auto-advance for some time now. This feature allows an admin to set up an Apple TV without having to click through the Setup Assistant screens. To start this process, the Apple TV is connected to ethernet so that setup may be orchestrated by Apple Configurator running on a computer on the same network.
As of 11.0, macOS will support this setup mode, or something similar, allowing a computer to transition from unboxing and power-on to the sign in screen with no additional interaction. This will work in tandem with Automated Device Enrollment (formerly Device Enrollment Program, or “DEP”), will require an ethernet connection, and appears to not utilize Apple Configurator.
Additionally:
Administrators can choose whether the user account created at device setup enrolls in the MDM user-channel or just the MDM device-channel
More setup assistant screens are now skippable
UAMDM and supervision consolidation
Previously, UAMDM and Supervision were separate concepts in macOS. Starting with macOS 11, UAMDM devices will now provide the same MDM functionality as supervised devices. For example, the following will become available for UAMDM:
Bootstrap tokens
Scheduled software updates
Installation of profiles that require supervision
Furthermore, it appears that Apple is consolidating the terminology of enrollment states to simply organization-owned and user-owned. UAMDM/Supervised devices, and as a result, devices enrolled with Automated Enrollment (DEP) will be considered organization-owned. User-enrolled devices will be user-owned.
Managed OS updates
Big Sur will add the ability for an MDM administrator to force macOS updates, including the reboot process. As is the case with iOS, macOS will also support OS update deferrals by up to 90 days.
Previously, a custom software update catalog URL could be set by the MDM admin. Admins who wished to control OS update availability and/or provide a local software update cache server would often use this feature to point devices to a local Reposado server.
Setup assistant skip screens for upgrades
Apple Business Manager (ABM) and Apple School Manager (ASM) have long supported skipping setup assistant screens during device enrollment. Moving forward, MDM administrators will be able to configure screens to skip during OS upgrades as well.
Non-removable iOS apps
Previously, administrators could prevent users from removing any of their iOS apps on Supervised devices. Now, administrators can granularly select apps that are non-removable.
Content caching metrics via MDM
Content caching allows the “sharing” of downloads from Apple (whether they are apps, books, or OS updates) between devices on the same network. This effectively reduces the amount of internet bandwidth consumed for a site and also speeds up the delivery of already-cached downloads to devices.
In the upcoming release, the MDM protocol has been expanded to provide content caching metrics so that admins can determine how well content caching is being utilized by their enrolled devices.
Time zone awareness
The latest iOS and macOS releases will support setting the time zone via MDM, as well as retrieving the set value on a device.
Device information
Devices will begin providing the number of resident users on a device. This relates to Shared iPad functionality.
Encrypted DNS settings
Administrators can enhance the privacy and security of their users by encrypting DNS traffic between devices and DNS servers. Previously, a VPN connection was required to “wrap” DNS traffic in an encrypted channel.
Profile changes
VPN-tied profiles
Apple has added the ability to associate a number of different profile-specific payload types to VPN profiles, causing the OS to send traffic over a VPN connection when interacting with these services.
The new profiles to support this functionality are:
CalDAV
CardDAV
Exchange ActiveSync
Google Account
LDAP
Mail
Subscribed Calendar
Restrictions
Two functionalities have been added to the restrictions payload. They are:
The ability to force delayed app software updates, and
Allow/disallow App Clips
Notifications
Notification configurations may now optionally specify a preview type.
SSO Kerberos additions
The Single Sign On Kerberos extension has new configuration options. Namely, the ability to have a custom username label, define a “help” text string, configure the credentials cache and replication time, among other options.
Deprecated: Media management controls
The ability to manage media controls, such as eject, mount, and unmount has been deprecated and will no longer function in future macOS versions (presumably beyond 11.0).
