Apple remains focused on the needs of enterprise IT. With this in mind, it made several interesting changes at WWDC 2022. Here’s a rundown of the improvements Apple announced we’ve identified so far.
Apple announced a raft of developer technologies
Apple ushered in a range of enterprise-focused improvements during the developer sessions held at the event.
Declarative Device Management
Introduced in 2021, declarative device management works to make devices more autonomous and proactive, while allowing servers to be lightweight and reactive. It is now also available for Macs.
Managed device attestation
A new security feature that uses the Secure Enclave to provide strong assurances about a client device, such as its identity and software version.
Apple Configurator for iPhone was introduced in 2021. It lets admins add Macs purchased outside of the normal channel to their organization using Apple School Manager (ASM) or Apple Business Manager (ABM). When running Setup Assistant on the Mac, admins just need to hold an iPhone running Configurator over the animation. The Mac will then connect to the internet and add itself to your organization. At WWDC 2022, Apple extended Configurator for iPhone so that it can now also add iPhones and iPads.
In keeping with the move toward password-less access, Apple wants to build systems tough enough that users only need to sign in once and then for that identity to be held across everything else. With that goal in mind, the company confirmed that for Federated Authentication, Apple Business Manager now integrates with Google Workspace as an Identity Provider.
Sign in with Apple
The company said this feature can now be be used at work and school with Managed Apple IDs. There are additional security features baked in, so admins can allow all apps or selected apps to use the sign in tool.
This is quite an important change. Apple used a token-based authorization system in iOS/iPad OS 15 to allow MDM servers to verify user identity. This changes in iOS/iPad OS 16 with the addition of support for OAuth 2 as another authorization mechanism. This means MDM servers will be able to support additional identity provision systems providers also improves security, and adds another new feature that is described below.
Enrollment Single Sign-on, or Enrollment SSO
This is a faster system that enables employees to enroll their personal devices into your organization’s MDM system. The system requires users to enter their email address to download an enrollment single-sign-on app. The user then signs in once and the app handles the rest of the process. The system does require IT and MDM vendors to take certain steps before it is supported, including MDM server configuration to ensure the correct JSON document is shared.
Platform Single Sign-On (Platform SSO)
macOS Ventura gains this new feature, which lets users sign in once on login to automatically sign into apps and websites. The feature, which uses a range of technologies — including third-party SSO extensions, its own Kerberos extension, FileVault, OAuth, OpenID and so on — means you may never need to remember another website password, or go through the process of entering it, again, at no compromise to your security.
Automated device enrollment
Apple made an important change to automated device enrollment, one that I imagine will make it much harder to setup a lost or stolen managed device for sale. The company says ASM/ABM-registered Macs must have an internet connection to be setup once erased or restored.
To protect against close-access attacks, a new MDM setting lets administrators require a user password before using new Thunderbolt or USB accessories with M-series Apple notebooks.
Web content filtering
Admins will be able to apply Web content filters and DNS proxies on managed iPhones and iPads running iOS 16 and iPadOS 16.
Making it easier to swap eSIMs
You will be able to transfer eSims between iPhones using Bluetooth. To do so, just move your older iPhone close to your new one and follow the Set Up Cellular command dialog. Apple also put protections in place to ensure users don’t accidentally delete their existing eSIM, as doing so requires a new one be provisioned.
Shared iPad improvement
This slight improvement may make a big difference. A new command lets admins autosuggest the domain name of your company when a user begins to enter a Managed Apple ID. This is going to save a lot of time for shared iPads, particularly when handling complex URLs, as it means spelling becomes less of a problem.
Accessibility in iOS and iPadOS 16
Apple has added tools to let MDM systems manage popular accessibility settings including Text Size, VoiceOver, Zoom, Touch Accommodations, Bold Text, Reduce Motion, Increase Contrast, and Reduce Transparency. Users can modify these settings, but it does means devices can be made more accessible from the start.
Apple also made some keynote announcements
This lets you use your iPhone as a webcam and adds a Desktop view to let you share video from above your keyboard.
Mail and messages improvements
The welcome (and long-awaited) introduction of improvements to Mail search will help everyone. Scheduled emails, the capacity to delete sent emails and the ability to set reminders to return to unactioned emails will all make a big difference to workflow. This is Apple playing catch-up, as features like these have been available to other email platforms using tools such as Boomerang.
Some interesting enhancements within Metal 3 include the capacity to create more photo realistic environments and to take further advantage of graphics memory to drive applications.
This means you can get valuable web results at a platform level. This doesn’t completely replace traditional search engines, but it’s a desideratum of what’s to come.
The ability to pull text (in actionable format) out of images and video will make a huge difference to users and opens interesting possibilities for developers, particularly at businesses working with international audiences.
Rapid Security Response
Rapid Security Response will make a solid difference to hybrid and remote enterprises as it means Apple can directly install security updates into Macs, iPhones, and iPads. This should help accelerate installation of software updates across businesses that until now relied on employee discretion around updating. It also means MDM systems don’t need to wait on full updates.
These are important, as they usher in a completely passcode-free future. The move should vastly reduce business and personal vulnerability to phishing.
Have you come across additional enterprise enhancements announced at WWDC? Please drop me a line and let me know.