Last updated June 15, 2022
Note: This article continues to be updated as Apple releases additional information and further clarification of upcoming functionality. This is not necessarily a list of features that have been added to SimpleMDM, but rather a list of new functionalities that Apple is making available within the Apple MDM spec. To request a new feature, submit a request via our suggestions forum.
This week during the 2022 Worldwide Developer Conference (WWDC), Apple announced a plethora of new MDM functionality coming to the new iOS 16 and macOS 13 Ventura. Let’s take a look at the highlights:
In late 2021, Apple introduced Apple Configurator for iPhone, which allows admins to manually add macOS devices to Apple Business Manager or Apple School Manager. With iOS and iPadOS 16, Apple Configurator for iPhone can now add other iPhones and iPads to Apple Business Manager. This avoids the requirement to connect the iOS device to a Mac in order to use Apple Configurator to add a device to Apple Business Manager.
Apple Business Manager and Apple School Manager now support the federation of Managed Apple IDs with Google Workspace as the identity provider (in addition to Microsoft Azure AD, which was supported previously).
“Sign in with Apple” is now supported with Managed Apple IDs for apps that support it. Apple Business Manager and Apple School Manager will also support the ability to configure an “allow list” of apps that Managed Apple IDs can be used to sign in to.
This feature includes OAuth 2 in the account-driven user enrollment workflow. The user will enter their credentials in Settings, which will prompt them to download an app from the App Store. This app will provide a native UI to complete the authentication steps and then handle authentication for additional app sign-ins. The primary requirements for this are:
This feature allows users to sign in once at the login window, which will then automatically sign them into apps and websites. The token used to sign in will become available to third-party SSO extensions and works with the Kerberos extension. The user that first logs in with a local account password, which unlocks FileVault encryption, will enable the user to log in when offline and when connected to captive networks. From here, the identity provider password can be used to unlock the device. Platform SSO will also support the ability to authenticate with password or a Secure Enclave backed key.
Regardless of the authentication method, SSO tokens are retrieved from the identity provider, stored in the Keychain and available to the SSO extension. Password changes will be validated with the IdP upon unlock. This protocol is built using OAuth and OpenID. It does not use web views for authentication. This can replace AD binding. The IdP is only called when the user is attempting to use a new password at unlock or to get SSO tokens.
Devices will now respond to OS update commands even when in Power Nap mode.
There is a new priority key that can be passed when sending the OS update command via MDM. Sending this command with “High” priority key will be similar to a user-initiated updates. This is only supported for minor OS updates. Apple also increased logging and reporting for OS updates for macOS.
There is a new mechanism in macOS Ventura and iOS/iPadOS 13 for critical security updates, called Rapid Security Response. The Restrictions profile now supports new keys:
If a device was enrolled via Automated Enrollment previously, the device becomes registered to your organization and an internet connection will be required for a device to complete Setup Assistant after being erased/restored.
Apple is now enforcing rate limiting for show, renew, and validate commands for the profiles command.
Certificates installed manually will not be considered trusted by default, but certificates installed via MDM payloads will still be trusted automatically.
By default, the user will be asked to allow new Thunderbolt or USB accessories including when unlocked. Additionally, the allowUSBRestrictedMode key will now be supported for macOS (in addition to iOS/iPadOS).
There are new options to control accessibility settings on iOS/iPadOS, including:
MDM can now install apps during the AwaitDeviceConfigured state. This is best used for device-based licensing. This allows apps to be installed before exiting Setup Assistant. Unsupervised devices will return a NotNow response until reaching the home screen.
Apple TVs that are wiped via MDM will automatically retain device/remote pairing after the wipe.
In 2021, Apple announced Declarative Management, a new paradigm for the Apple MDM protocol. This year, Apple announced they are expanding Declarative Management. We will update this article later this week pending further announcements from Apple on this subject.
This is a new security feature from Apple that uses a Secure Enclave to provide assurances about device such as identity and software version. We will update this section pending further announcements from Apple later this week.