Written by: Kyle Hoare (Senior Mac Integration Engineer)
This year’s Apple Worldwide Developer Conference (WWDC) was filled with announcements and first-looks for upcoming software releases that promise to benefit every business, no matter its size. So now with WWDC 2021 behind us, we take a look at what Apple has planned for the year ahead in the space of device management.
Improved User Enrolment Functionality
User enrolment is specifically designed for Bring Your Own Device (BYOD) deployments scenarios, where the user, not the organisation, owns the device. As a refresher, there are three main components that form the basis of user enrolment:
- Manage Apple ID – these are owned by a business and are available via Apple Business Manager and Apple School Manager. This allows users to authenticate using their business existing credentials.
- Data Separation – a separate APFS volume with different cryptographic keys is created during enrollment to keep data from managed apps and managed accounts separate from personal content.
- Management Capabilities – installs restrictions to those that are appropriate for controlling the business’ content on the device. This is critical in protecting the privacy of the user when using their personal device.
With iOS 15, Apple announced it will streamline the user enrolment experience for both users and administrators with its new user enrolment onboarding flow. This new flow will establish the user’s organisation identity as the entry point. This inclusion adds a layer of security during the enrolment flow where the Mobile Device Management (MDM) server verifies the user before the MDM profile is downloaded to the device and before any organisation data is sent to it. With this new onboarding flow, the MDM server can ask the user to validate themselves at any time, by getting the user to reauthenticate using their credentials.
With data becoming more and more valuable for organisations and as the need for a mobile workforce continues to rise, these changes to the user enrolment provides value to both the user’s privacy like never before, while also ensuring the company’s data remains safe on all personally owned devices.
Apple Configurator is Coming to iPhone
Before WWDC 2021, the only way to assign macOS devices to Apple Business/School Manager was to ensure companies were buying macOS devices from Apple or an authorised reseller, such as Mac Centre. However, this has now changed. At the conference it was announced that T2 and Apple Silicon devices running macOS Monterey will now support enrolment in Apple Business/School Manager regardless of where they were purchased (this will require the iPhone to be on iOS 15 to perform this action).
For macadmins to execute this correctly, the device must be at the setup assistant screen and at this point, admins will be required to hold up the phone running Configurator. An animation will then appear on the computer’s screen where admins will then need to point the phone’s camera towards it. A message indicating that the pairing was successful will then appear. And that’s it…the Mac has been added to the organisation’s Apple Business/School Manager.
Similar to the iOS counterpart, admins will be required to link their macOS devices in Apple Business/School Manager to the correct MDM server. Much like OS devices, there is a 30 day opt-out period that will be presented to users. If admins are in an environment with savvy users or managing devices for a school, planning 30 days ahead will be key to ensuring devices remain in Apple Business/School Manager at all times.
When combined with erasing all content and settings for the Mac, this will enhance the ongoing device management experience. This long-awaited feature is also going to make a powerful combination for deploying and re-deploying macOS devices when using modern deployment methodologies.
Improved Managing Software Updates
Software updates are critical to all Apple product users, as they implement new security enhancements like notarisation and sealed system volume in macOS Big Sur. These updates enable the latest features on devices, allowing users to run the most current version of software capabilities.
In macOS 11.3 and later editions, admins are now able to set deferral periods for any major, minor, and non-OS updates. This means that major, minor and non-OS updates can be deployed with a varied level of deferral. This will allow for security updates to be deployed more rapidly than major OS upgrades, which require in-depth testing and reviews before being pushed to production.
Enforcement of macOS versions has always been seen as a challenge for macadmins and now with the enforcement of updates built into the OS and MDM framework, the need for complicated scripts to manage them has become a thing of the past. This is because the MDM server can now set a deferral limitation by presenting the user with a macOS notification to either update now, defer until tomorrow or install that night. This allows the device to use machine learning to determine when the update will be installed. However, if the device is connected to power, this update may occur between 2am-4am.
In iOS 15, we’ll see more granular control on what updates users are presented with. In the past users were only presented with one option – the latest version of the latest iOS – so users were forced to execute the next major update. With iOS 15, users will be given two options: if a major update is available they can choose to go to iOS 15.0 or iOS 14.6 for example.
As part of this enhancement, MDM servers will also be able to configure what the user sees, i.e. only the minor updates, the major update, or both. This new feature helps ensure iOS fleets always have the latest security updates without needing to test and prepare the latest version of iOS for mass rollout.
New with iOS 15 & iPad OS
Apple has made significant changes to the way users view their managed accounts, the profiles installed on the device, and how VPN is configured.
As part of the conference, Apple announced it’s now providing a comprehensive place to display the device state by combining VPN and Device Management under the same menu within Settings. This change will mean the end-user will receive a complete understanding of their device and how it is being managed at first glance.
So what’s new for unsupervised devices? Currently, users operating a BYOD have the ability to decline any app instalments. This is incredibly risky, especially for businesses who require a critical app to be used by employees. So, imagine having more control over this.
Moving forward companies will, thanks to required app. Required app allows businesses to select one app that they would like installed on unsupervised devices. This means the MDM server will have the ability to deploy a required application without prompting the user for permission to install. This is limited to one application and end-users consent to the application being installed during user enrolment.
Protecting business data between apps will continue to also be a focus moving forward with managed open-in. Managed open-in allows the MDM solution to control whether data is allowed to enter or leave the management sphere. As part of the iOS 15 release, a new restriction enhancing managed open-in will be introduced known as managed pasteboard. This restriction will control whether copy or paste is affected by managed open-in and will honour the restrictions for systems apps. While users will always see the paste button, they won’t be allowed to paste and will be notified once selecting the paste option.
To help with this journey, Apple has enhanced the user experience for shared iPads for businesses with three new MDM keys:
- TemporarySession Only: to limit the ability to log in within a managed Apple ID.
- TemporarySessionTimeout and UserSessionTimeout which will automatically log the user out after a set amount of time and ensuring the data is secure after a period of inactivity.
In Apple’s opening statement at WWDC, they mentioned that great device management depends on the balance between privacy, user agency, and administrative control with what was announced and demonstrated with iOS 15 this balance has been strengthened significantly.
System Extensions allow for softwares like network extension and endpoint security solutions to extend the functionality of macOS without the need to have kernel-level access. In macOS 11.3, whitelisting a pending system extension would enable it while removing the whitelist would disable the system extension. Now macOS Monterey will add removable system extensions via MDM to allow an app to disable its own system extension when an application uninstalls itself. This is handy for those environments where the users are not admins of their devices.
Kernel extensions still exist in Monterey, however, Apple has added further enhancements to manage them by notifying the user when a legacy system extension is loaded. This is done via a reboot notification, that when clicked the user can perform a graceful restart of the machine and the kextcache will be rebuilt.
Exclusively to Apple Silicon, the device lock command will now be enhanced and administrators will be able to send a 6-digit pin, message, and phone number to the device aligning it with the device lock command of iOS devices. This will cause the Mac to reboot and with the information provided, the user will not be able to use the device until the pin has been entered.
This is a great start, however missing on Apple Silicon devices is the ability to set a firmware password. Apple has added this feature to the MDM framework, which sets a recovery password to act similarly to a firmware password. This password can only be set and removed via the MDM server and if a macOS device is unenrolled – removing the password entirely. Another important note on the recovery password is that the MDM server must know the existing recovery password to be able to set a new one. We should see this feature in macOS Monterey however it could come earlier (macOS 11.5) as these commands are available in beta 3 of macOS 11.5.
Early on in macOS Big Sur, it was clear that management features for Apple Silicon and the transition from Kernel Extensions to System Extension still had a lot of room for improvement. Apple has listened to the macadmin community and are starting to close this gap between Intel and Silicon devices.
Erasing All Content & Setting for macOS
Another iOS feature that is coming to macOS is the ability to erase all content settings via MDM command for macOS devices on Apple Silicon or with a T2 chip. To help with this, System Preferences will now offer an option to erase all user data and user installed apps from the system, while maintaining the operating system currently installed. Since storage is always encrypted on Mac systems with Apple Silicon or the T2 chip, the system is instantly and securely “erased” by destroying the encryption keys. In conjunction with this command, a new restriction payload to disable users from selecting erase all content and settings for the macOS in System Preferences, has also been implemented in the MDM framework
This update is going to be great for anyone who uses macOS but even better for those macadmins who test automated device enrolment workflows. It also provides a solution for rapid return to service of a device in the case it needs to be handed to another user, as it removes the need of having complicated workflows implemented and deploying full installers. The functionality will be available via MDM by sending the erase device command, which will erase all user data and reboot back to setup assistant.
In this article, we have discussed most of the major changes with device management from WWDC 2021, and here at Mac Centre, we highly recommend that your organisation sign up to Apple Seed for IT as betas for iOS 15 and macOS Monterey are now available. This will allow your organisation to start testing and building test plans to ensure that you are supported with the launch of these new OS and features.
Keep an eye out for Mac Centre’s next post where we will dive into declarative device management; the next evolution of device management and impacts this will have macadmins.