I’m back again this year just like I was last year to discuss WWDC! This year, I’ve decided to hit on two topics in detail in Part 1 vs. what I usually do. This week we will discuss the new capabilities that have hit MDM, discussing “What’s new in managing Apple Devices” and “Do more with Managed Apple IDs”. I guess we’ll cover a few other areas in part two that I know you want to know all about too! We’ll discuss the new passkeys with “Deploy passkeys at work” and “Explore advances in Declarative Device Management” as well. One final thing we will briefly touch on is managing Apple Watches! I know I’m crazy!

So what is NEW in Apple Device Management?

Let’s start by covering what is coming to MacOS 14.

The New Stuff with MacOS 14 Management

Automated device enrollments have introduced a few things:

• You can now enforce FileVault during the setup assistant. Admins can even decide whether they want to show the recovery key or not along with key escrow is still possible.
• Require minimum OS versions. When you don’t meet the requirements it will HTTP/403 back “Forbidden” with a nice guide to update the OS and deliver automatic restarts.
• Enforced Automated Device Enrollment once connected to the network. This allows you to postpone enrollment by 8 hours with a “not now” capability.

• Platform SSO (which I’m not sure if anyone besides Okta implemented when it came out for MacOS 13) now supports local user JIT creation leveraging the new UseSharedDeviceKeys.
  • Requires the device to be online, at login window with FileVault unlocked, and MDM must support Bootstrap Tokens
  • Requires username/password or SmartCards.
• SmartCards are now supported on MacOS.
• Group management and network authorization lets you now use IDP groups to deliver standard/admin permissions.
  • Network authorization will let you use non-local users at authorization prompts via the IDP group mappings
  • Exceptions: Current user/SecureToken or ownership rights

• Password policies can now be delivered as regular expressions if needed.
• Password compliance management allowing compliance verification after a password has been set. Notifications even occur during active log-in sessions.
• Password change notification prompts occur at every logon

• System Settings management can now prevent several settings modifications at a granular level:
  • Apple ID login and Internet Accounts
  • Adding local-user accounts
  • Device name
  • Fingerprints for Touch ID
  • Individual sharing services
  • Siri
  • Startup disk
  • Time Machine
• Managed Device Attestation is NOW on MacOS (Get that done Okta!)
  • DeviceInformation and ACME attestation available
  • Supports hardware-bound keys
    • Stored in the data protection keychain
    • Supports VPN, 802.1x, Kerberos, Exchange, and MDM
  • New attestation properties for Apple Silicon that are coming are SIP status, Secure Boot, and 3rd-party KEXTs (which should be huge for vendors like Okta)
  • LLB (Low Level Bootstrap) version, OS version, Secure Enclave Enrollment ID, and Software Update Device ID will be coming as well as properties to help baseline the device’s identity.

In general, many MacOS Management Updates are coming:

MacOS Application Management Changes

A huge announcement is that application management packages can now contain multiple apps. An interesting development is that only apps installed in /Applications can be considered managed now. Anything outside of that location is not considered managed.

The New Stuff with iOS/iPadOS Management

Return to Service is a new HUGE capability. Let’s discuss how it works:

1. MDM sends the EraseDevice command
2. Device triggers a reset
3. All data is securely erased
4. Device connects to WiFi
5. Device connects to MDM and returns to lock screen

The components of the ReturntoService dictionary includes network settings and enrollment profile. It will use the previous localization capabilities.

Another very cool feature is the new easy student sign-in where a teacher can help a student login in incredibly easily/quickly:

The requirements are:

• Teacher and student in the same ASM location
• Local proximity (duh!)
• Students have authorized teacher on personal devices

Shared iPads also have some cool new capabilities. The new “AwaitUserConfiguration” key lets you keep a user waiting until the device is fully configured before giving access.

Other features are:

• SkipLanguageAndLocaleSetupforNewUsers for skipping language and local setup during setup wizard
• Configuring a quote for temp users on the Shared iPad

iPhone and iPad can now support private LTE, standalone and non-standalone 5G networks. With that, you can also leverage power efficient activation of private-network SIM based on geographic location. Devices can intelligently select between private and public-network SIMs and even prefer cellular over Wi-Fi.

5G network slicing is also now available, where you can configure managed apps to use specific 5G network slice. It’s mutually exclusive with VPN configurations.

The overall management updates are below:

We also have some newly announced deprecations. Note a bunch of additional items being moved to supervision. You also will no longer be able to block many iCloud features without Managed Apple IDs:

The Relay Network Extension

The new relay network extension is a new alternative letting you access enterprise resources without a VPN. It’s also compatible with the iCloud Private Relay. This lets you protect network traffic.

This is basically the next generation of the proxy profiles, which provides a performance-optimized connection to your enterprise resources. It appears there will be a major focus on SASE and Cisco has already jumped on board.

The various proxy types it supports (which includes legacy are):

• MASQUE Relays
• Oblivious HTTP
• Secure HTTP CONNECT
• HTTP CONNECT
• SOCKSv5

Some of the benefits over traditional VPN here are modern access to resources, eliminating complex session negotiation, tunnels, and IP assignments. It’s also exciting to learn they will support per-app and per-domain as well.

Apple Configurator Changes

Now, new shortcut actions are coming to MacOS.

You will now be able to create shortcut actions for update, restore, erase, and prepare. You can run these on attach or detach. This really powers amazing automations and speed.

The hope is that MDM providers will implement shortcuts to send commands to devices like:

• Update inventory
• Install app
• Restart/Shutdown
• Interact with the MDM server for adding devices to a group and updating attributes

Doing More with Managed Apple IDs

I think arguably the think I’m the most excited about are the advancements with Managed Apple IDs. They’re focusing on 3 specific areas with features/enrollment, access management, and identity providers.

Managed Apple IDs Features and Enrollment

The main capability they’re adding is support for additional apps for managed/separation of data:

They will also be extending a few more features for managed Apple IDs like:

• iCloud Keychain for Managed Apple IDs
• Wallet for Managed Apple IDs
• Continuity for Managed Apple IDs (specifically):
  • Auto Unlock
  • iPhone Cellular Calls
  • Apple Pay
  • Continuity Camera
  • AirDrop
  • Handoff
  • Universal Control
  • AirPlay to Mac
  • Sidecar
  • Continuity Markup
  • Instant Hotspot
  • Text Message Forwarding
  • Continuity Sketch
  • Universal Clipboard

Account-driven Device Enrollment (ADDE)

Account-driven Device Enrollment is a huge deal. One of the main issues with User Enrollment was severe limitations with profile supportability. Now, with ADDE you will get most of your profiles available and the ability to capitalize on things like declarative device management.

Additionally, they are bringing both UE and ADDE to MacOS now, which should be really interesting and a nice unification of strategy:

For those interested, the payload code for ADDE looks like this:

Managed Apple IDs Access Management

The new capabilities in Access Management have been huge items for a long long time!

Now, we’re going to be able to finally set access policies, control sign-in based on the level of management, and even DISABLE ACCESS to iCloud.

Yeah, its crazy!

You can now restrict the types of devices that can use Managed Apple IDs, like managed devices or supervised devices:

You can also manage access to stuff like Messages and FaceTime:

But wait there’s more! You can now also manage access to iCloud for ANY app or service supported for Managed Apple IDs. This now requires the MDM to implement a new Check-in request message type called GetToken:

The neat part about it is the device will automatically sign out when it doesn’t comply with your policy.

Managed Apple IDs Changes to Identity

Let’s all say it together: OKTA IS COMING TO MANAGED APPLE IDs!

Thank whatever god you worship as that is something many of us have been dying to hear.

With that, custom identity providers are now coming to Managed Apple IDs, which lets you extend the identity integrations in Apple Business Manager/School Manager beyond just Google and Azure.

It requires that your IDP supports 3 specific specs:

• OpenID Connect for federated authentication
• SCIM for DirSync
• OpenID Shared Signals Framework for account security events

This should be pretty achievable for most good IDPs out there, which is such great news as we all desire to move toward a world of declarative device management.

To be Continued…

It’s hard holding off on the other 3 topics, which are really exciting with Apple Watch management, declarative device management, and passkeys, but there’s just too much exciting content. So a few thoughts to leave you with.

Given the huge footprint of Okta, the advancements of Managed Apple IDs are really the star of the show with ADDE a close second. Arguably, this one of the biggest WWDCs for MDM in a long time. I’m also super excited for Return to Service, which is something we all need desperately. It’s similar to the “Enterprise Reset” that Workspace ONE is using for Windows devices and will be a big help to retail and manufacturing industries.

The one that is a real wildcard for me is the relay network extension. Admittedly, I don’t know a ton about relay networks but I’ll be interested to see if other SASEs like Prisma and VMware SASE can leverage this new spec that focuses heavily on performance. We can all agree that a less crappy version of VPN is good for everyone. See everyone soon with part two!!