Last updated June 29, 2020
This article will be continually updated as Apple releases additional information and further clarification of upcoming functionality.
The Apple Worldwide Developer Conference (WWDC) started this week, and Apple has made public the changes coming in both the latest release of iOS 14 and macOS 11 (named “Big Sur”). We will be updating this page as additional information and clarifications are provided by Apple.
Current app management in macOS is a far cry from the experience in iOS. For instance, an app can be installed via MDM in macOS today, however there is no mechanism for marking that app as managed or for uninstalling it. Apple indicates that, as of macOS 11, the app management experience will be much more similar to what it is in iOS today.
Apple also indicates that macOS apps can also now include configurations, much as iOS apps can include managed application configurations.
macOS 11 will include a plethora of information and control MDM commands for managing lights-out devices (LOM). Presumably, Apple will include LOM functionality embedded in the hardware of new Mac Pro computers, allowing administrators to initiate remote power-on, restarts, and other out-of-band management activities.
To use LOM, administrators will need to deploy a dedicated macOS machine local to the Mac Pros that are to be managed. LOM will then be available for the Mac Pros via MDM.
tvOS has supported a feature called auto-advance for some time now. This feature allows an admin to set up an Apple TV without having to click through the Setup Assistant screens. To start this process, the Apple TV is connected to ethernet so that setup may be orchestrated by Apple Configurator running on a computer on the same network.
As of 11.0, macOS will support this setup mode, or something similar, allowing a computer to transition from unboxing and power-on to the sign in screen with no additional interaction. This will work in tandem with Automated Device Enrollment (formerly Device Enrollment Program, or “DEP”), will require an ethernet connection, and appears to not utilize Apple Configurator.
Previously, UAMDM and Supervision were separate concepts in macOS. Starting with macOS 11, UAMDM devices will now provide the same MDM functionality as supervised devices. For example, the following will become available for UAMDM:
Furthermore, it appears that Apple is consolidating the terminology of enrollment states to simply organization-owned and user-owned. UAMDM/Supervised devices, and as a result, devices enrolled with Automated Enrollment (DEP) will be considered organization-owned. User-enrolled devices will be user-owned.
Big Sur will add the ability for an MDM administrator to force macOS updates, including the reboot process. As is the case with iOS, macOS will also support OS update deferrals by up to 90 days.
Previously, a custom software update catalog URL could be set by the MDM admin. Admins who wished to control OS update availability and/or provide a local software update cache server would often use this feature to point devices to a local Reposado server.
Apple Business Manager (ABM) and Apple School Manager (ASM) have long supported skipping setup assistant screens during device enrollment. Moving forward, MDM administrators will be able to configure screens to skip during OS upgrades as well.
Previously, administrators could prevent users from removing any of their iOS apps on Supervised devices. Now, administrators can granularly select apps that are non-removable.
Content caching allows the “sharing” of downloads from Apple (whether they are apps, books, or OS updates) between devices on the same network. This effectively reduces the amount of internet bandwidth consumed for a site and also speeds up the delivery of already-cached downloads to devices.
In the upcoming release, the MDM protocol has been expanded to provide content caching metrics so that admins can determine how well content caching is being utilized by their enrolled devices.
The latest iOS and macOS releases will support setting the time zone via MDM, as well as retrieving the set value on a device.
Devices will begin providing the number of resident users on a device. This relates to Shared iPad functionality.
Administrators can enhance the privacy and security of their users by encrypting DNS traffic between devices and DNS servers. Previously, a VPN connection was required to “wrap” DNS traffic in an encrypted channel.
Apple has added the ability to associate a number of different profile-specific payload types to VPN profiles, causing the OS to send traffic over a VPN connection when interacting with these services.
The new profiles to support this functionality are:
Two functionalities have been added to the restrictions payload. They are:
Notification configurations may now optionally specify a preview type.
The Single Sign On Kerberos extension has new configuration options. Namely, the ability to have a custom username label, define a “help” text string, configure the credentials cache and replication time, among other options.
The ability to manage media controls, such as eject, mount, and unmount has been deprecated and will no longer function in future macOS versions (presumably beyond 11.0).