This week during the 2021 Worldwide Developer Conference (WWDC), Apple announced a plethora of new MDM functionality coming to the new iOS 15, macOS 12 Monterey (10.16 in some circles), as well as the current versions of iOS 14 and macOS Big Sur 10.15.
On unsupervised devices, MDM can install a single “required” app without prompting for user permission. This is installed as part of the initial MDM profile. Consent to install the app is included during the profile installation. This is useful for installing an application that is necessary for business functions and/or management, such as MDM service’s agent application.
Currently, Apple provides Managed Open-In settings within the Restrictions profile. These settings allow you to prevent data and content within managed apps from being moved to unmanaged apps, and vice versa. With Managed Pasteboard settings, Apple provides you with the ability to apply the same restrictions to the copy and paste functionality, meaning that information copied from corporate apps cannot be pasted in unmanaged apps and/or the reverse.
Apple added the ability to log in to Shared iPads as a temporary user, meaning that a user can log in with any Apple ID instead of just a Managed Apple ID from Apple Business Manager. After log out, all data associated with that user account is removed.
With the addition of the temporary user concept, Apple has added three associated functionalities which include:
The ability to restrict user logins to only temporary users (meaning Managed Apple ID logins are restricted).
The ability to set a maximum duration that a temporary user can be logged in.
The ability to set a maximum duration that any user can be logged in.
Configuration profile updates
Apple will now require each payload within a configuration profile to use its own unique identifier.
“Take Management” prompt on iOS
When an unmanaged app is installed on a device, MDM can request management of that application. This request will prompt the user to allow management of the application. With Apple’s new rules, this prompt can be shown and rejected by the user up to 3 times, after which the prompt won’t be shown again for 24 hours.
For macOS Big Sur, installing a System Extensions payload activates the extension if it is already pending approval and removing the payload deactivates the extension.
In macOS Monterey, Apple introduces Removable System Extensions. This allows apps to deactivate their own system extensions, such as when the app is being uninstalled, and doesn’t require admin approval.
As of macOS Big Sur, a Mac must be rebooted in order to make changes to kernel extensions. MDM can now send a Restart Device command to force the reboot, with options to:
Rebuild the kernel cache to allow kernel extensions to load.
Specify kernel extensions not detected by the OS. With this option, an app can be installed via MDM and the kernel extension can be loaded without the app being launched by the user before the reboot.
Display a notification to the device user when rebooting the Mac.
In addition, the option to allow non-admin users to approve kernel extensions has been added to the kernel extensions payload.
iOS app compatibility on Apple silicon
Apple added the ability to determine if a Mac can install and run iOS apps. This is true for M1 Macs. For custom apps, M1 Macs now support provisioning profiles similar to iOS.
Remote lock on Apple silicon
The Remote Lock command on macOS allows admins to remotely lock devices with a 6-digit PIN. Apple silicon devices now support the ability to specify a message on the lock screen as well as a phone number. Both of these are optional.
Set recovery passwords
Apple has added a new security feature that gives admins the ability to enforce a password that must be entered by the user in order to boot a Mac into Recovery Mode. This password can only be set and removed by MDM. The password is automatically removed if a device is unenrolled from MDM.
This feature can be used alongside the existing Activation Lock mechanism to secure your Macs even when they are erased.
Erase All Content and Settings
In macOS Monterey, users have the option to erase all content and settings to easily factory reset their device. This will also be available to MDM as a command. With this addition, MDM has the option to disallow the ability to erase all content and settings within the Restrictions profile. This feature will be available on Apple silicon and Macs with a T2 chip.
Apple Configurator is a tool that provides basic management functionalities when a device is connected, such as the ability to apply profiles, install apps, and perform actions like resetting a device, upgrading software, and enabling Supervised Mode. Previously, Apple Configurator was only available via the macOS App Store (meaning the app could only run on a Mac) and could only be used to manage iOS and tvOS devices.
With Apple’s new updates, Apple Configurator provides management functionalities for macOS devices with the T2 or M1 chip. The two main functionalities are Restore and Revive. Restore will erase all user data, restore the firmware, and re-install the latest macOS version. Revive will update the firmware and recoveryOS while preserving user data. These functionalities are available today.
Furthermore, Apple Configurator previously supported the ability to add iOS and tvOS devices that were purchased outside of a formal business channel to Apple Business Manager or Apple School Manager using what is known as provisional enrollment. Apple will now support the ability to add macOS to Apple Business Manager or Apple School Manager using provisional enrollment. This is achieved using an Apple Configurator application that is available via the App Store on iOS devices.
Provisional enrollment is available for macOS devices with a T2 or M1 chip with macOS Monterey installed. Apple Configurator for iOS will be available in Fall 2021.
For more information on Apple Configurator and its usage, see Apple’s official documentation available here: Apple Configurator 2 User Guide
A significant aspect of Apple device management is managing operating system (OS) updates. Apple previously allowed pushing OS updates to devices via MDM. Additionally, the Restrictions profile allowed admins to enforce up to a 90 day delay period to prevent OS and software updates from installing. Apple now includes additional granularity to control update restrictions (to defer update notifications shown to the user), as well as additional options when pushing OS updates via an MDM.
As of macOS 11.3 and later, an admin can delay major OS upgrades longer than minor releases, which allows security updates for existing OS versions to be installed without permitting a major upgrade. With Apple Silicon, updates require authentication, which can be done manually by the user or using an MDM bootstrap token.
On Apple Silicon devices with macOS Monterey or later, Apple supports MDM-initiated updates using the “InstallLater” command on devices that have a bootstrap token, which installs OS updates without user interaction at a time when it is detected that the device is not in use. Apple added the option to allow the installation of OS updates when a device is detected as not currently in use. Apple also includes additional messaging to the user when performing updates that inform them that an update is scheduled to be performed, that the device must be connected to a power source, and so on.
For macOS devices running Monterey, Apple now provides the option to specify the number of times that the user will be prompted to install an OS update before the update will be forced. For example, an admin could specify that a user can elect to skip the update up to three times, after which they are forced to install the update. This option allows admins to ensure that users install important OS updates in a timely manner. When this is set, this also displays a notification to users informing them of how many deferrals they have left and/or when the update will be forcefully installed.
Additionally, Apple added more abilities to control which OS versions are displayed to users and/or pushed to devices.
Declarative device management
Apple announced a new MDM functionality called “declarative management”, which allows devices to be more autonomous and proactive in their configuration.