As expected, at Apple WWDC Macs, iPads, iPhones and Apple TVs have announced a series of significant changes to the way they operate in business and learning environments. These changes are basically divided into two groups: those that affect overall device management and those that apply to declarative management (a new type of device management Apple introduced in iOS 15 last year).
It is important to look at each group separately to better understand the changes
How has Apple changed overall device management?
Apple Configurator
Apple has got a significant expansion of the configuration for the iPhone. This is a manual method of registering iPhones and iPads in management rather than using automated or self-registering tools for a long time. The tool was originally shipped as a Mac app that could configure devices, but it had one major downside: the devices had to connect to the Mac to run the app via USB. It had a clear impact in terms of time and manpower on anything other than a small environment.
Last year, Apple introduced a version of the configurator for the iPhone that reversed the original workflow, meaning an iPhone version of the app could be used wirelessly to manage Macs. It was used to primarily document Macs purchased through Apple Business Manager outside of Apple’s Enterprise / Education channel (Apple products purchased through the channel can be automatically registered with the Zero-Touch configuration).
IPhone Avatar is incredibly simple. During the setup process, you point an iPhone camera (like many Apple Watch pairs) into an animation on the Mac’s screen and it triggers the enrollment process.
The big change this year is that Apple has expanded the use of Apple Configurator for the iPhone to support iPad and iPhone enrollment using the same process – eliminating the need to connect devices to the Mac. This greatly reduces the time and effort required to register these devices There is a caveat: devices that require cellular activation or have activation locked must complete the activation manually before using the configurator.
Identity management
Apple has made useful changes to identity management in the enterprise environment. Most importantly: it now offers support for additional identity providers, including Google Workspace and Oauth 2, which allows a wider set of providers. (Azure AD was already supported.) These identity providers can be used to create managed Apple IDs for employees with Apple Business Manager.
The company also announced that support for single sign-on enrollment across its platform will be implemented this fall after the arrival of MacOS Ventura and iOS / iPadOS16. The goal here is to make user enrollment easier and more accessible so that users only have to authenticate once. Apple Platform has also announced single sign-on, an effort to expand and streamline access to enterprise apps and websites each time they login to their device (s).
Conducted per-app networking
Apple has long had an in-app VPN capability, which only allows certain enterprise or action-related apps to use active VPN connections. This applies to VPN security, but limits VPN load by sending only specific app traffic via VPN connection. With macOS Ventura and iOS / iPadOS 16, Apple is adding per-app DNS proxy and per-app web content filtering. It helps secure traffic to specific apps and functions, such as per-app VPN. And it doesn’t require any changes to the apps. DNS Proxy supports system-wide or per-app options while content filtering supports system-wide or seven instances per-app.
E-SIM provisioning
For iPhones that support e-SIM, Apple is making it possible to configure and manage an eSIM for Mobile Device Management Software (MDM). This may include arranging a new device, transferring carriers, using multiple carriers or configuration for travel and roaming.
Manage accessibility settings
Apple is known for its wide set of accessibility features for people with special needs. In fact, many people use some of these features without special needs. On iOS / iPadOS 16, Apple allows MDM to automatically enable and configure a number of common features, including: text size, voice over, zoom, touch accommodation, bold text, speed reduction, contrast contrast, and transparency reduction. It will be a welcome tool in special education or hospital and healthcare situations where devices can be shared among users with special needs.
What’s new in Apple’s announcement management process?
Apple unveiled the announcement last year as an improvement over its original MDM protocol. The great advantage of this is that it transfers a lot of business logic, consent and management from MDM service to each device. As a result, devices can actively monitor their status. This eliminates the need for MDM services to constantly monitor the status of their devices and then issue commands in response. Instead, the devices make those changes based on their current status and the announcements sent to them and report back to their service.
Declaration management relies on declarations to contain things like activation and configuration. One advantage is that a declaration can include multiple configurations as well as activations that indicate when or when the configuration should be activated. This means that a single declaration can include all configurations for all users, along with activations that indicate which users should apply for them. This reduces the need for a large set of different configurations because the device itself can determine which one should be enabled due to the user of the device.
This year, Apple has expanded where declarative management can be used. Initially, it was only available on iOS / iPadOS 15 devices that facilitated user enrollment. On the front, all Apple devices running MacOS Ventura or iOS / iPadOS / tvOS 16 will be supported, regardless of their enrollment type. This means device registration (including supervised devices) is supported across the board, such as the shared iPad (a type of enrollment that allows multiple users to share the same iPad, each with its own configuration and files.)
The company has made it clear that declarative management is the future of Apple device management and that any new management features will only be introduced for declarative models. Although traditional MDM will be available indefinitely, it has been devalued and will eventually retire.
This is the main effect for already used devices Devices that do not run macOS Ventura or iOS / iPadOS 16 will eventually be dropped and replaced with anyone on the service. Due to the loss of support for devices, this can be a costly transfer for some companies. Although this is not immediate, you should begin to determine the size and cost of your conversion and how you will handle it (especially since it will probably require a conversion to Apple Silicon, which does not support Windows or Windows running apps, in process).
In addition to expanding what products may use declarative management, Apple has expanded its functionality, including support for passcode configuration, enterprise accounts, and MDM-enabled app installation.
The passcode option is more complex than the need for a specific type of passcode. Passcode compliance is traditionally required for certain security-related configurations, such as sending a corporate Wi-Fi configuration to a device. In the declarative model, those configurations can be sent to the device before the passcode is set. They are sent with a passcode requirement and include an activation that only one user creates a passcode that complies with that policy. Once the user sets a passcode, the device will detect the change and enable Wi-Fi configuration with multiple connections to the MDM service, enable Wi-Fi immediately, and notify that the service has been activated.
Accounts – which can include things like mail, notes, calendars, and subscribed calendars – work the same way. An announcement may specify all types of accounts supported within the organization, as well as subscribed calendars. The device will then determine – based on the user’s account and the role of the organization (s) – to activate and enable.
MDM app installation is one of the most significant additions to announcement management, since app installation is a task that places the greatest load on an MDM and becomes the biggest obstacle during mass device activation (such as a large onboarding of new staff, new device rollouts, or school First day). Before handing a declaration to its user, it can specify all possible apps to be installed and sent to a device during activation. Again, the device will determine which app installation configurations will be enabled and available based on the user. This avoids repeatedly asking each device to download services and apps and their configurations. Changing the user’s role makes it easier and faster to activate (or disable) apps.
It’s easy to see why these are the first additions to announcement management after significant improvements and initial rollouts. There are still MDM capabilities that have not jumped into declarative use, but it is clear that eventually – perhaps by next year – they will.
This is one of the most significant WWDC announcements for the enterprise, and it’s good to see that Apple has thought about deciding which features to add or update as most of them address areas that were difficult, time consuming, resource intensive or tedious. Apple is not only addressing the needs of enterprise customers, but also demonstrating that it understands those needs.
Copyright © 2022 IDG Communications, Inc.