Hold onto your seats as the 2023 Apple Worldwide Developers Conference (WWDC) is in full swing, bringing with it an exciting wave of announcements for the highly anticipated iOS 17 and macOS 14 Sonoma upgrades — and their implications for mobile device management! Our team is thrilled to attend sessions and workshops throughout the week, keeping you informed of the latest updates and highlights as they are announced.
This year’s WWDC was headlined by the strongly hyped release of Apple’s new mixed reality headset, Vision Pro, along with many significant updates coming in iOS & iPadOS 17, macOS 14, and watchOS. In this article, we'll cover enterprise features and updates specifically pertaining to mobile device management (MDM).
Introducing management for watchOS
Apple introduced a long-awaited feature for some admins who manage Apple Watches in their work environments: device management capabilities for watchOS. The initial MDM features may include:
Installing and removing apps on Apple Watch
Applying configurations and profiles, including Passcode, Certificates, Per App VPN, Wi-Fi, and Restrictions
Account-driven User Enrollment updates
At Apple WWDC 2021, Apple announced account-driven User Enrollment. This change allows users to enroll their BYOD devices via User Enrollment by signing into their Managed Apple ID via Settings, at which point they would be prompted to enroll (rather than requiring users to manually download the enrollment profile). This year, Apple introduced a similar workflow for Device Enrollment. The outcome is similar to standard profile-based Device Enrollment and enables supervision on macOS, but it also includes separation of work and personal data volumes similar to what is currently used in User Enrollment.
With this update, now that account-driven User Enrollment is supported for iOS, iPadOS, and macOS, profile-based User Enrollment will be deprecated.
Managed Apple ID services & access control features
New updates are bringing additional services to Managed Apple IDs, including Continuity, iCloud Keychain, Apple Wallet, and Developer accounts. With these new services, access management controls will be added to allow admins to control what services these Managed Apple IDs have access to, including the ability to configure access controls based on devices’ MDM enrollment state.
Declarative Device Management
Software updates
Managing software updates via MDM has been perhaps one of the most talked about topics in the community as of late. At WWDC 2023, Apple announced that software updates will now be manageable using the Declarative Device Management protocol for iOS, iPadOS, and macOS. These updates will provide new options for requesting and enforcing updates, as well as notifying users of pending updates.
App management
Apple is adding new options to the DDM protocol to install and remove App Store and custom apps on iOS, iPadOS, and macOS devices.
Certificates
New declarations were added to the DDM protocol to allow for the installation of certificates and identities.
New asset types for macOS
Apple introduced a new asset type to allow admins to manage configurations for common system services, including:
sshd
sudo
PAM
CUPS
Apache
Zsh
Bash
These assets will be distributable as .zip archives.
Migration path for legacy profiles
Apple introduced a migration path for MDMs to take over the management of existing legacy MDM profiles using the DDM protocol without requiring the profiles to be uninstalled and reinstalled. This move will drastically improve the experience when moving from legacy MDM protocol to DDM protocol management.
New status updates
Apple now allows MDMs to subscribe to status updates for FileVault enablement, launch agents, launch daemons, and background tasks.
Custom asset hosting
Assets can now be hosted on any web server and distributed via MDM, rather than the MDM having to host assets themselves.
Device enforcement options
Apple is adding a number of enforceable conditions to allow users to complete Setup Assistant and enroll their devices, including:
Force users to enable FileVault during Setup Assistant.
Enforce a minimum OS version in order to complete setup or Automated Enrollment.
Enforce Automated Device Enrollment. If an ABM/ASM-registered device did not enroll in MDM initially, the user will see additional prompts to enroll with the option to defer enrollment for up to 8 hours, after which they will be forced to enroll or erase their Mac.
Platform Single Sign-On (PSSO) additions for macOS
We recently wrote about supporting Platform Single Sign-On. At WWDC 2023, Apple announced a number of new additions for macOS 14, including:
A new menu item in System Settings allowing users to register their device or user account for use with SSO.
Allowing local user account creation by users with organizational identity-provider-managed accounts or smart cards.
Updating group memberships at the time of authentication with the identity provider.
Completing authorization prompts using IdP user accounts that aren’t local.
Restrictions profile updates
A number of new Restrictions keys were added for macOS, including:
allowAccountModification
allowDeviceNameModification
allowStartupDiskModification
allowTimeMachineBackup
allowFingerprintModification
allowLocalUserCreation
allowAssistant
Sharing services — prevents modification of the following:
allowFileSharingModification
allowPrinterSharingModification
allowARDRemoteManagementModification
allowRemoteAppleEventsModification
allowInternetSharingModification
allowBluetoothSharingModification
forceOnDeviceOnlyDictation
AllowCloudFreeform
The following keys now require supervision to function:
allowAutoUnlock
allowFingerprintForUnlock
allowSpotlightInternetResults
Additionally, future versions of macOS 14 will require supervision for the following keys — but these will apply only to personal Apple IDs (Managed Apple IDs will not be impacted):
allowCloudPhotoLibrary
allowCloudDocumentSync
allowActivityContinuation
allowCloudPrivateRelay
VPN Restrictions
Users and third-party apps can now be restricted from adding VPN configurations to supervised devices on iOS and iPadOS using the allowVPNCreation key.
Login Window updates
New keys were added to the Login Window payload to facilitate automatic login on supervised Macs:
AutologinPassword
AutologinUsername
New configurable screen-sharing options on macOS
Apple announced new additions for configuring screen sharing on macOS, including the ability to configure host and connection settings.
Managed application updates on macOS
On macOS 14, packages installed via the MDM protocol containing more than one application bundle installing to /Applications will have all included applications marked as managed and, therefore, can be removed via MDM.
Changes to relaunching Setup Assistant
Prior to macOS 14, a user could delete the /private/var/db/.AppleSetupDone file to trigger Setup Assistant to launch and run again. This will no longer work in macOS 14+.
Password policy management
Apple is introducing some new functionalities when it comes to managing passwords on devices, including:
Support for regular expressions (regex) to define password complexity requirements.
Notifications to users when a stricter passcode policy is applied (on macOS).
Prompts to users, after the stricter policy is applied, to change their password at the next login.
Managed Device Attestation
Apple announced Managed Device Attestation (MDA) for iOS and iPadOS. At WWDC 2023, the company announced MDA for macOS. New properties were added for MDA that include SIP status, Secure Boot status, OS version, and Secure Enclave Enrollment ID, among others. Secure Enclave Enrollment IDs can be used by MDM to prove they are communicating with the same device by comparing these IDs.
Return to Service
Previously, when a device was erased remotely via MDM, the reenrollment process was still fairly manual, requiring a user to reconnect the device to Wi-Fi and proceed through the Setup Assistant steps. With Return to Service, an MDM can send an erase command that includes additional options to provide Wi-Fi settings so that a user does not need to manually reconnect to Wi-Fi. An MDM can also provide an enrollment profile to trigger the reenrollment. This change modifies the experience so that after an MDM wipe, the user is returned to the home screen without additional manual steps.
Cellular connectivity
Private 5G and LTE networks will be supported on iOS and iPadOS 17. With this change, MDMs can allow admins to automatically activate private SIMs when a device enters specific areas, and admins can have devices prioritize cellular data over Wi-Fi.
Additionally, 5G network slicing was introduced to allow Managed Apps to be assigned to 5G network slices by supported carriers.
eSIMs are now preserved after iOS and iPadOS devices are wiped due to hitting a maximum number of failed attempts as configured by a passcode policy, and eSIM modification is restricted via Restrictions profile.
The com.apple.apn.managed payload is also being deprecated.
Network relays
Apple introduced a new payload type to allow the configuration for network relays leveraging built-in OS features that provide an alternative to accessing enterprise resources versus using a VPN.
Apple Configurator updates
With new updates, Apple Configurator for iPhone can be used to assign an MDM server when adding a device to Apple Business Manager (or Apple School Manager).
Additionally, Apple Configurator for macOS can be used in combination with the Shortcuts app to automate processes.
802.1X support for iOS Ethernet Connections
Apple added support to iPhone and iPad for 802.1X configurations profiles to allow connectivity to restricted ethernet networks requiring authentication.
Additions to Shared iPad Functionality
New enhancements were added to the Shared iPad functionality:
AwaitUserConfiguration key: This allows MDMs to apply configurations for specific users after they sign in so that it is ready for use upon reaching the home screen.
SkipLanguageAndLocaleSetupForNewUsers key: This provides new options to automate setup at sign-in.
QuotaSize key: This key allows Shared iPads to grant dedicated space to temporary users to allow for app installations and media while signed in.
Enforce maxInactivity for User Enrollment
The maxInactivity key for the Passcode payload is now supported for User Enrollment to ensure that users can’t disable auto-lock.
Conclusion
This year brought many exciting updates to the Apple ecosystem. We will update this article periodically as new information is provided. To view these announcements yourself, visit the following official Apple links:
