New MDM features coming in iOS 16 and macOS 13 Ventura

Last updated June 15, 2022

Note: This article continues to be updated as Apple releases additional information and further clarification of upcoming functionality. This is not necessarily a list of features that have been added to SimpleMDM, but rather a list of new functionalities that Apple is making available within the Apple MDM spec. To request a new feature, submit a request via our suggestions forum.

This week during the 2022 Worldwide Developer Conference (WWDC), Apple announced a plethora of new MDM functionality coming to the new iOS 16 and macOS 13 Ventura. Let’s take a look at the highlights: 

Apple configurator updates

In late 2021, Apple introduced Apple Configurator for iPhone, which allows admins to manually add macOS devices to Apple Business Manager or Apple School Manager. With iOS and iPadOS 16, Apple Configurator for iPhone can now add other iPhones and iPads to Apple Business Manager. This avoids the requirement to connect the iOS device to a Mac in order to use Apple Configurator to add a device to Apple Business Manager. 

Identity management 

Apple Business Manager and Apple School Manager now support the federation of Managed Apple IDs with Google Workspace as the identity provider (in addition to Microsoft Azure AD, which was supported previously).   

“Sign in with Apple” is now supported with Managed Apple IDs for apps that support it. Apple Business Manager and Apple School Manager will also support the ability to configure an “allow list” of apps that Managed Apple IDs can be used to sign in to. 

Enrollment Single Sign-On 

This feature includes OAuth 2 in the account-driven user enrollment workflow. The user will enter their credentials in Settings, which will prompt them to download an app from the App Store. This app will provide a native UI to complete the authentication steps and then handle authentication for additional app sign-ins. The primary requirements for this are: 

  1. An app that supports the Enrollment SSO extension 
  2. MDM supports client authentication via an identity provider 
  3. Admins configure Managed Apple IDs via ABM/ASM 
  4. MDM is configured to handle the authentication 

Platform Single Sign-On 

This feature allows users to sign in once at the login window, which will then automatically sign them into apps and websites. The token used to sign in will become available to third-party SSO extensions and works with the Kerberos extension. The user that first logs in with a local account password, which unlocks FileVault encryption, will enable the user to log in when offline and when connected to captive networks. From here, the identity provider password can be used to unlock the device. Platform SSO will also support the ability to authenticate with password or a Secure Enclave backed key.  

Regardless of the authentication method, SSO tokens are retrieved from the identity provider, stored in the Keychain and available to the SSO extension. Password changes will be validated with the IdP upon unlock. This protocol is built using OAuth and OpenID. It does not use web views for authentication. This can replace AD binding. The IdP is only called when the user is attempting to use a new password at unlock or to get SSO tokens. 

New software update features 

Devices will now respond to OS update commands even when in Power Nap mode. 

There is a new priority key that can be passed when sending the OS update command via MDM. Sending this command with “High” priority key will be similar to a user-initiated updates. This is only supported for minor OS updates. Apple also increased logging and reporting for OS updates for macOS. 

There is a new mechanism in macOS Ventura and iOS/iPadOS 13 for critical security updates, called Rapid Security Response. The Restrictions profile now supports new keys: 

  • allowRapidSecurityResponseInstallation: allows MDM admins to disable this mechanism 
  • allowRapidSecurityResponseRemoval: blocks the end-user from being to able to remove this rapid security response 

Automated enrollment 

If a device was enrolled via Automated Enrollment previously, the device becomes registered to your organization and an internet connection will be required for a device to complete Setup Assistant after being erased/restored. 

Profiles command 

Apple is now enforcing rate limiting for show, renew, and validate commands for the profiles command. 

Interactive certificate trust 

Certificates installed manually will not be considered trusted by default, but certificates installed via MDM payloads will still be trusted automatically. 

Allow accessories to connect on Mac 

By default, the user will be asked to allow new Thunderbolt or USB accessories including when unlocked. Additionally, the allowUSBRestrictedMode key will now be supported for macOS (in addition to iOS/iPadOS). 

iOS and iPadOS 

  1. Managing Network Traffic: Expanding DNS Proxy and Web Content Filter profiles to BYOD devices, similar to per-app VPN. These profiles can only be installed via MDM. All existing apps that require DNS Proxies or Web Content Filters will still work. However, you cannot mix system-wide and per-app proxies. Additionally, you can have up to 7 per-app filters and one system-wide filter.
  2. Managing eSIMs: Traditionally, a device’s cellular subscription information was returned via the ServiceSubscription command response. Apple has deprecated this response in iOS/iPadOS 16. Now, the cellular carrier will provide a server URL where devices can fetch a cellular plan.
  3. Shared iPad: Save users time by using the ManagedAppleIDDefaultDomains key so users will see a suggestion quickly to authenticate. Shared iPad will only require local verification, but admins can configure a more frequent auth interval. There are two keys to use to set quota size on iPadOS: QuotaSize and ResidentUsers.  

Accessibility 

There are new options to control accessibility settings on iOS/iPadOS, including: 

  • TextSize 
  • VoiceOverEnabled 
  • ZoomEnabled 
  • TouchAccomodationEnabled 
  • BoldTextEnabled 
  • ReduceMotionEnabled 
  • IncreaseContrastEnabled 
  • ReduceTransparencyEnabled 

Install apps during AwaitDeviceConfigured state 

MDM can now install apps during the AwaitDeviceConfigured state. This is best used for device-based licensing. This allows apps to be installed before exiting Setup Assistant. Unsupervised devices will return a NotNow response until reaching the home screen. 

Apple TV 

Apple TVs that are wiped via MDM will automatically retain device/remote pairing after the wipe. 

Expanding declarative device management 

In 2021, Apple announced Declarative Management, a new paradigm for the Apple MDM protocol. This year, Apple announced they are expanding Declarative Management. We will update this article later this week pending further announcements from Apple on this subject. 

Managed device attestation 

This is a new security feature from Apple that uses a Secure Enclave to provide assurances about device such as identity and software version. We will update this section pending further announcements from Apple later this week. 

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • Apple releases fixes for two zero-day exploits affecting Macs, iPhones, and iPads

    By on April 4, 2022
    Read more
  • New MDM Features Coming in iOS 15 and macOS 12 Monterey

    By on June 8, 2021
    Read more
  • New MDM Features Coming in macOS 11 Big Sur & iOS 14

    By on June 22, 2020
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now