Well it’s that time of year again! I am no stranger to writing about stuff that I like at WWDC. after writing a ton about Declarative Device Management, which I am still waiting for Workspace ONE to implement. I also last recapped WWDC in 2019. This year, my focus in primarily on capabilities within the enterprise because Apple made some really interesting ones that I am dying to tell you all about! Let’s get started and cover 7 things that I think will shape the next year in Unified Endpoint Management.
Something that can be a little painful at times is the login process on MacOS. Sure it has come a LONG way from the world of AD binds and all that fun stuff. It’s even come a LONG way from Enterprise Connect (may you rest in peace old friend), but it could still be better. Enter Platform SSO!
A HUGE announcement that was made today is the availability of Platform SSO in MacOS Ventura. The idea is simple and quite familiar: login at the login window and watch that authentication be delegated to the entire platform. Not to mention this signals the inevitable death of mobile accounts:
Yeah it’s pretty cool. The idea from an authentication experience is:
- User initially logs on with their local account password.
- All future attempts will use their IDP password to unlock their device.
- SSO tokens are retrieved and shared with the extension via the Login keychain.
- Password changes are validated by the IDP on unlock
**Platform SSO supports password authentication or Secure Enclave-backed keys to authenticate with the IDP.
**IDP is only talked to when retrieving SSO tokens or during password changes.
**Kerberos TGTs are also supported via the Kerberos extension after being imported by the credential cache.
One of the best things about Platform SSO is that it leverages Open ID and OAuth, which means WebView is not involved (thank god!). Identity services is not used and as I mentioned a few moments ago it is the modernization of mobile accounts and bind accounts.
One last point is that this technology doesn’t act as a gatekeeper to stop you from logging in like other technologies. MDM capabilities are your best resort to handling that. The flow is below:
Enrollment SSO is a new and better way to make account-driven user enrollment even better. It is driven by a specific flow:
- Users will start by downloading a special Enrollment SSO application to their device.
- Powered by the app’s SSO extension built-in. It provides a native app authentication experience with any SSO technology.
- This will power the bridge where you only sign in a SINGLE time for the entire user enrollment flow leveraging SSO tokens.
The building blocks are simple. It just needs:
- The application developer updates their app to support Enrollment SSO
- The MDM provider federates the enrollment authentication via IDP
- Managed Apple IDs are setup in ABM to power things
- MDM servers are configured to return a URL to the JSON document in the authentication response header
When beginning the authentication flow, you will find a HTTP header present that shows the environment supports Enrollment SSO:
The client will use that URL to download the JSON document, which looks like this in production: (you will notice it highlights the domains, iTunes Store ID of the Enrollment SSO application, associated domains, an extensible SSO profile in base64, and will also support certificates as well):
New Capabilities for Apple Configurator
This one is not particularly long, but I might be more excited for this one than most.
We can now FINALLY use the mobile Apple Configurator app to add iPhones and iPads to Apple Business Manager without that long nonsensical approach we have been using for years! Yeah that’s it, but this one is such a lifesaver.
MacOS Patching Changes at WWDC
A dire need for MacOS is better patching especially when looking at Windows. MacOS is finally focusing more on deployment and enforcement for Ventura.
Dealing with Macs that Need a Nap
One of the big issues is that many tasks do not work when a Mac is in sleep or Power Nap mode. 3 of the items they focus on, which will now work in those sleepy time scenarios are:
- ScheduleOSUpdate (schedules the update of the OS)
- OSUpdateStatus (gets the status of an update)
- AvailableOSUpdate (provides a list of available OS updates)
Additionally, they are adding a new key called “priority” used with the ScheduleOSUpdate command with options of “high” or “low.” The neat thing about that is when you set it to “high” it essentially spoofs the idea that a user hit the update button themselves.
Dealing with Pesky Users Avoiding Updates
Those sneaky sneaky users! MacOS Ventura will now let you use a nice Windows staple: deferrals:
You can now set the maximum number of installs, which as you can see above from the results of the OSUpdateStatus command. The user notification looks like this:
The 3rd of the great new features is rapid security response. Rapid Security Response is a new capability that lets Apple ship critical security fixes much faster than ever before. Users can disable the feature, but we do have some nice configuration keys to stop that. You can disable removal or rapid security response installations by these keys below:
Huge Enhancements for Per-App Networking iOS
I have become a huge proponent of Per-App VPN over the years. Something I am very excited about is the next evolution of that concept. Now, you can deliver DNS Proxy and Web Content filters at the per-app level. You can deliver secure traffic for apps just like per-app VPN. The payload looks like this:
You can leverage these payloads either via Install Application or Send Configuration. The good news is that app developers don’t need to change anything so this should be available right away!
A few takeaways that I picked up on were:
- DNS proxy supports system or per-app settings only. You can’t mix them!
- Web Content Filters will support seven per-app settings and one system wide setting.
The interesting thing to me about this is will it come to MacOS at some point and how does it play with MTDs. It might be compelling to see if you could use a web content filter like Microsoft Defender for Endpoint or Crowdstrike.
What’s New in Declarative Device Management
Last year, I covered DDM. I am so happy to announce that some huge changes have hit Declarative Device management this year. I can safely say it has finally arrived. No longer can we avoid DDM!
Just to refresh your memory, DDM:
The idea behind Declarative Device Management (DDM) is similar to how VMware Horizon can let a device locally process video for Microsoft Teams “sort-of.” DDM will enable a device by making it autonomous and proactive. By leveraging the existing MDM protocols, DDM will increase performance and scalability.
DDM empowers a mobile device by letting it reach to its own state changes. The iOS device can now run more lightweight and reactive and eliminate the constant MDM polling. The device will now be:
|Characteristic||How it Helps||Some Thoughts|
|Autonomous||Reacts to its own state changes and applies logic to itself without the server telling it to do something||Devices can now potentially act when offline based on predicates (more on that later).|
|Proactive||Status channel asynchronously reporting to the server when state changes happen eliminate a need for constant polling||This could be a huge game changer. I expect this will improve battery life and help MDM samples update far faster than ever before.|
Changes to DDM Scope
Apple announced that all new protocol features will be focused on DDM, which makes its adoption pertinent. The first HUGE announcement, is that Declarative Device Management is NOW supported on all device enrollment types, including shared iPad.
Not just iOS however.. All Apple platforms now support DDM:
Additionally, Apple is improving the experience of viewing device configurations from within the settings menu:
Status Reports on DDM
Today, devices can already report subscribed status to your MDM server, which are reliable and empower proactivity. This is the lifeblood of DDM.
In iOS 16, Status Reports are growing further:
Passcode Status Reports
Let’s discuss how its changing:
- There is currently a lag between a passcode being pushed and fully applied/compliant, which is a normal thing today. The Passcode status items “passcode.is-compliant and “passcode.is-present” have boolean properties which now eliminate that lag of compliance.
With these status reports you will be able to deliver passcode and other payloads like Wi-Fi or VPN simultaneous. The Wi-Fi/VPN payload will be completely reliant on a compliant passcode first being present:
Account Status Reports
This release introduces 8 new status items for accounts:
The JSON of one of these status items looks like this:
Status Items now also include array values to allow you to report multiple items together. The great thing about them is they report changes incrementally to maximize performance, which relies on identifiers within the object. An example of the array can be seen below:
These changes as mentioned can be seen here as we make changes and allows them to be updated gracefully:
The good news that they also throttle status changes coupled with these arrays to ensure performance is optimal.
Application Status Reports
With DDM, servers no longer need to poll devices. Device will now proactively send app install state via status reports. The MDM App status item looks like this:
The scope even on supervised devices is limited to managed apps pushed down via MDM. You can see state is communicated proactively from the device:
It will then transition to installing:
Once completed, it will show its managed:
Even if someone manually removes the app it will show the app is no longer installed, but the management state is still stored on the device:
Changes to Activation Predicates
Activation predicates as you may recall are what determine if a configuration has been applied, which can reference status items. The activations are always re-evaluated when status items change.
Now, Apple is leveraging new syntax via the extension term @status e.g.:
@status(device.identifier.serial-number) == "ABC-XYZ"
These new terms help adapt and work more effectively. These help with predicating activations based on an array like this:
Along this concept, they have added a new declaration called management properties:
The new management properties declaration is a huge game-changer.
We can now preload declarations ahead of time. Activations are predicated on those management properties, which means servers only send management properties and it creates a ton of efficiency. You no longer need to add/remove profiles and entitlements, which leads to sluggish behavior. This are now much simpler and efficient.
First, when those configurations are pushed to a new device, they will originally be set to false:
Once the management properties declaration is sent to the device, it re-evaluates and installs exactly what is needed:
New MDM Capabilities Introduced at WWDC
It wouldn’t be WWDC without discussing the new capabilities that are coming to MDM. The good news is we aren’t losing anything! Let’s cover what’s new on both platforms.
New MDM Capabilities for iOS
The new MDM capabilities are below for iOS:
- Cellular Payload Updates for XLAT464
- Introducing Automated Certificate Management Environment (ACME)
- Updates to Self Signed Certificates
- Allowing Mail Privacy Protection
- Allowing Automatic Screen Saver for tvOS
- Controls around Rapid Security Response for iOS
- MDM support for certain accessibility keys
They are also updating some of the MDM commands in various ways:
- Letting you query certain accessibility settings
- Adding data to application lists to know if something is an Web Clip
- Shared Device Configuration Settings
- Data around DNS Proxy and Content Filter Integrations
New MDM Capabilities for MacOS
The Full Set is of features they announced are below outside of the items that I already covered:
- Ability to automatically allow signed software or built-in software through the MacOS Firewall (AllowSigned, AllowSignedApp)
- They deprecated the SystemPreferences key, so we still need to learn more there.
- Ability to block USB Restricted Mode
- Blocking Universal Control
- Allow UI Configuration Profile Installations
- Ability to skip Terms of Address during Setup Assistant
- MDM friendly migrations
Clearly, WWDC offers interesting ideas for elevating your iOS and MacOS environments. They’re continuing to drive deeper integrations into security and get ahead of issues. I can really appreciate how they’re taking MacOS and making it more enterprise grade. I often find myself conflicting as an Enterprise Architect by the lack of enterprise features in the Core OS itself, but their commitment to security makes me happy. The biggest announcement for me by far is Declarative Device Management being extended to all platforms and enrollment types. This is going to elevate the management and effectiveness of mobile devices.
The main question is how will UEM vendors respond. Over the last few years, I have found a major trend where UEM vendors aren’t delivering new features quickly enough. Sure, Apple makes it challenging with some of their core concepts like DDM, but you have to deliver! I think the lift this year is much easier. We need to see these new MacOS enhancements on Day 0. My belief is with Ventura we can finally drive more companies to consider the choice program and empower the user experience better than ever before!