This week during the 2022 Worldwide Developer Conference (WWDC), Apple announced a plethora of new MDM functionality coming to the new iOS 16 and macOS 13 Ventura. Let’s take a look at the highlights:
Apple configurator updates
In late 2021, Apple introduced Apple Configurator for iPhone, which allows admins to manually add macOS devices to Apple Business Manager or Apple School Manager. With iOS and iPadOS 16, Apple Configurator for iPhone can now add other iPhones and iPads to Apple Business Manager. This avoids the requirement to connect the iOS device to a Mac in order to use Apple Configurator to add a device to Apple Business Manager.
Apple Business Manager and Apple School Manager now support the federation of Managed Apple IDs with Google Workspace as the identity provider (in addition to Microsoft Azure AD, which was supported previously).
“Sign in with Apple” is now supported with Managed Apple IDs for apps that support it. Apple Business Manager and Apple School Manager will also support the ability to configure an “allow list” of apps that Managed Apple IDs can be used to sign in to.
Enrollment Single Sign-On
This feature includes OAuth 2 in the account-driven user enrollment workflow. The user will enter their credentials in Settings, which will prompt them to download an app from the App Store. This app will provide a native UI to complete the authentication steps and then handle authentication for additional app sign-ins. The primary requirements for this are:
An app that supports the Enrollment SSO extension
MDM supports client authentication via an identity provider
Admins configure Managed Apple IDs via ABM/ASM
MDM is configured to handle the authentication
Platform Single Sign-On
This feature allows users to sign in once at the login window, which will then automatically sign them into apps and websites. The token used to sign in will become available to third-party SSO extensions and works with the Kerberos extension. The user that first logs in with a local account password, which unlocks FileVault encryption, will enable the user to log in when offline and when connected to captive networks. From here, the identity provider password can be used to unlock the device. Platform SSO will also support the ability to authenticate with password or a Secure Enclave backed key.
Regardless of the authentication method, SSO tokens are retrieved from the identity provider, stored in the Keychain and available to the SSO extension. Password changes will be validated with the IdP upon unlock. This protocol is built using OAuth and OpenID. It does not use web views for authentication. This can replace AD binding. The IdP is only called when the user is attempting to use a new password at unlock or to get SSO tokens.
New software update features
Devices will now respond to OS update commands even when in Power Nap mode.
There is a new priority key that can be passed when sending the OS update command via MDM. Sending this command with “High” priority key will be similar to a user-initiated updates. This is only supported for minor OS updates. Apple also increased logging and reporting for OS updates for macOS.
There is a new mechanism in macOS Ventura and iOS/iPadOS 13 for critical security updates, called Rapid Security Response. The Restrictions profile now supports new keys:
allowRapidSecurityResponseInstallation: allows MDM admins to disable this mechanism
allowRapidSecurityResponseRemoval: blocks the end-user from being to able to remove this rapid security response
If a device was enrolled via Automated Enrollment previously, the device becomes registered to your organization and an internet connection will be required for a device to complete Setup Assistant after being erased/restored.
Apple is now enforcing rate limiting for show, renew, and validate commands for the profiles command.
Interactive certificate trust
Certificates installed manually will not be considered trusted by default, but certificates installed via MDM payloads will still be trusted automatically.
Allow accessories to connect on Mac
By default, the user will be asked to allow new Thunderbolt or USB accessories including when unlocked. Additionally, the allowUSBRestrictedMode key will now be supported for macOS (in addition to iOS/iPadOS).
iOS and iPadOS
Managing Network Traffic: Expanding DNS Proxy and Web Content Filter profiles to BYOD devices, similar to per-app VPN. These profiles can only be installed via MDM. All existing apps that require DNS Proxies or Web Content Filters will still work. However, you cannot mix system-wide and per-app proxies. Additionally, you can have up to 7 per-app filters and one system-wide filter.
Managing eSIMs: Traditionally, a device’s cellular subscription information was returned via the ServiceSubscription command response. Apple has deprecated this response in iOS/iPadOS 16. Now, the cellular carrier will provide a server URL where devices can fetch a cellular plan.
Shared iPad: Save users time by using the ManagedAppleIDDefaultDomains key so users will see a suggestion quickly to authenticate. Shared iPad will only require local verification, but admins can configure a more frequent auth interval. There are two keys to use to set quota size on iPadOS: QuotaSize and ResidentUsers.
There are new options to control accessibility settings on iOS/iPadOS, including:
Install apps during AwaitDeviceConfigured state
MDM can now install apps during the AwaitDeviceConfigured state. This is best used for device-based licensing. This allows apps to be installed before exiting Setup Assistant. Unsupervised devices will return a NotNow response until reaching the home screen.
Apple TVs that are wiped via MDM will automatically retain device/remote pairing after the wipe.
Expanding declarative device management
In 2021, Apple announced Declarative Management, a new paradigm for the Apple MDM protocol. This year, Apple announced they are expanding Declarative Management. We will update this article later this week pending further announcements from Apple on this subject.
Managed device attestation
This is a new security feature from Apple that uses a Secure Enclave to provide assurances about device such as identity and software version. We will update this section pending further announcements from Apple later this week.