As expected, Apple at announced a series of significant changes to how Macs, iPads, iPhones, and Apple TVs are managed in business and education environments. These changes largely break into two groups: those that affect overall device management and those that apply to declarative management (a new type of device management Apple introduced last year in iOS 15).
It’s important to look at each group separately to best understand the changes.
How did Apple change overall device management?
Apple Configurator for iPhone got a significant expansion. It’s long been a manual method of enrolling iPhones and iPads in management rather than using automated or self-enrollment tools. The tool originally shipped as a Mac app that could configure devices, but it had one major downside: devices had to be connected via USB to the Mac running the app. This had obvious implications in terms of the time and manpower in anything other than a small environment.
Last year, Apple introduced a version of Configurator for iPhone that reversed the workflow of the original, meaning an iPhone version of the app could be used wirelessly to enroll Macs into management. It was primary used to enroll Macs that had been purchased outside of Apple’s enterprise/education channel into Apple Business Manager (Apple products purchased through the channel can be auto-enrolled with zero-touch configuration).
The iPhone incarnation is incredibly simple. During the setup process, you point an iPhone camera at an animation on the Mac’s screen (much like pairing an Apple Watch) and that triggers the enrollment process.
The big change this year is that Apple expanded the use of Apple Configurator for iPhone to support iPad and iPhone enrollment using the same process — removing the requirement that devices be attached to a Mac. This greatly reduces the time and effort needed to enroll these devices. There’s one caveat: devices that require cellular activation or have been activation locked will need that activation to be completed manually before Configurator can be used.
Apple has made useful changes for identity management in enterprise environments. The most significant: it now offers support for additional identity providers including Google Workspace and Oauth 2, which allows an expansive set of providers. (Azure AD was already supported.) These identity providers can be used in conjunction with Apple Business Manager to generate Managed Apple IDs for employees.
The company also announced that support for single sign-on enrollment across its platforms will be implemented after macOS Ventura and iOS/iPadOS16 arrive this fall. The goal here is to make user enrollment easier and more streamlined by requiring users to authenticate only once. Apple also announced Platform Single Sign-on, an effort to expand and streamline access to enterprise apps and websites each time they login to their device(s).
Managed per-app networking
Apple has long had per-app VPN capabilities, which allow only specific enterprise or work-related apps to use an active VPN connection. This applies VPN security, but limits VPN load by only sending specific app traffic over a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple is adding per-app DNS proxy and per-app web content filtering. This helps secure traffic for specific apps and functions the same as per-app VPN. And this requires no changes to the apps themselves. DNS proxy supports system-wide or per-app options while content filtering supports system-wide or up to seven per-app instances.
For iPhones that support eSIMs, Apple is making it possible for mobile device management software (MDM) to configure and provision an eSIM. This can include provisioning a new device, migrating carriers, use of multiple carriers, or configuration for travel and roaming.
Managing Accessibility settings
Apple is well known for its expansive set of Accessibility features for people with special needs. In fact, many people without special needs also use several of these features. In iOS/iPadOS 16, Apple is allowing MDM to enable and configure a handful of the most common features automatically, including: text size, Voice Over, Zoom, Touch Accommodations, Bold Text, Reduce Motion, Increase Contrast, and Reduce Transparency. This will be a welcome tool in such areas as special education or hospital and healthcare situations where devices may be shared among users with special needs.
What’s new in Apple’s Declarative Management process?
Apple unveiled Declarative Management last year as an improvement over its original MDM protocol. Its big advantage is that it moves much of the business logic, compliance, and management from the MDM service to each device. As a result, devices can proactively monitor their state. That eliminates the need for the MDM service to constantly poll for their device state and then issue commands in response. Instead, devices make those changes based on their current state and on the declarations sent to them and report them back to the service.
Declarative management relies on declarations that contain things like activations and configurations. One advantage is that a declaration can include multiple configurations as well as the activations that indicate when or if the configuration should be activated. This means a single declaration can include all the configurations for all users, paired with activations that indicate to which users they should apply. This reduces the need for large sets of different configurations as the device itself can determine which ones should be enabled for the device because of its user.
This year, Apple has expanded where Declarative Management can be used. Initially, it was available only on iOS/iPadOS 15 devices that leveraged user enrollment. Going forward, all Apple devices running macOS Ventura or iOS/iPadOS/tvOS 16 will be supported, regardless of their enrollment type. That means device enrollment (including Supervised devices) is supported across the board, as is shared iPad (an enrollment type that allows multiple users to share the same iPad, each with his or her own configuration and files.)
The company has made it crystal clear that Declarative Management is the future of Apple device management and that any new management features will be rolled out only to the declarative model. Although traditional MDM will be available for some unspecified time, it has been deprecated and will eventually be retired.
This has major implications for devices already in use. Devices that can’t run macOS Ventura or iOS/iPadOS 16 will eventually be dropped and any that remain in service will need to be replaced. Given the swath of devices losing support, this could make for a costly transition for some organizations. Although it isn’t immediate, you should begin to determine the size and cost of the transition and how you will manage it (particularly since it will likely require a transition to Apple Silicon, which doesn’t support the ability to run Windows or Windows apps, in the process).
Beyond expanding what products can use declarative management, Apple also extended its functionality, including support for passcode configuration, enterprise accounts, and MDM-governed app installation.
The passcode option is more complex than simply requiring a passcode of a certain type. Passcode compliance is traditionally required for certain security-related configurations, such as sending the corporate Wi-Fi configuration to a device. In the declarative model, those configurations can be sent to the device before a passcode is set. They are sent along with the passcode requirement and include an activation that will only enable it once the user creates a passcode that complies with that policy. Once the user sets a passcode, the device will detect the change and enable the Wi-Fi configuration with multiple connections to the MDM service, enabling Wi-Fi immediately and notifying the service it’s been activated.
Accounts — which can include things such as mail, notes, calendar, and subscribed calendars — function similarly. A declaration can specify all the types of accounts supported within the organization as well as all the subscribed calendars. The device will then determine — based on the user’s account and role(s) within the organization — to activate and enable.
MDM app installation is the most significant addition to declarative management, since app installation is one of the tasks that puts the most load on an MDM and the biggest bottleneck during mass device activations (such as a large onboarding of new employees, new device rollouts, or the first day of school). A declaration can specify all the potential apps to be installed and sent to a device at activation, even before it has been handed to its user. Again, the device will determine which app installation configurations to activate and make available, based on the user. This avoids each device having to repeatedly query the service and download apps and their configurations. It also simplifies and speeds up the process of enabling (or disabling) apps if a user’s role changes.
These are significant improvements and it’s easy to see why they are the first additions to Declarative Management after its initial rollout. There are still MDM capabilities that have not made the leap to declarative use, but it is obvious that eventually – perhaps as soon as next year – they will.
This is one of the most significant WWDC announcements for enterprise and it’s good to see that Apple has been thoughtful in deciding which features to add or update since most of them tackle areas that were difficult, time consuming, resource intensive, or tedious. Apple is not just addressing enterprise customer needs, but demonstrating that it understands those needs.