iOS 16 is two weeks old, and iPad OS 16 is expected to be released in the next few weeks. There are so many new MDM functionality coming to the new iOS many of them are pretty cool features. They will change the way for iOS device management.
I will walk you through some of these new features in this blog post with a few demos.
Sign in with Apple at Work & School
Sign-in with Apple is a new thing that allows a fast and easy way for users to sign in to apps with their Apple ID. Users can create an account within the app with a simple tap.
Apple has now extended the capabilities of “Sign-in with Apple ID” to support Managed Apple IDs, i.e., it allows the same benefits for a fast and easy sign-in experience with Managed Apple ID.
For example, the user just downloaded JIRA to his iPhone and has the following sign-in options.
To use Sign in with Apple, the user can tap Continue with Apple and will see the welcome screen for Sign in with Apple.
Now, with the new settings, users will see the welcome screen for Sign in with Apple at Work & School if they use a Managed Apple ID.
You can notice a difference in the welcome screen.
Generally, when the users use their Apple ID with Sign in with Apple, they see the account creation screen where they may edit their name and choose whether to share or hide their email.
But now, with this new feature, the organizational context will be used, which forces the app to understand that the user is logging in with corporate (managed applied id), and accordingly level of access will change.
So this is an example, the app will provide access control using the name and email shared with their app when using Sign in with Apple at Work & School. It also means that when a user uses Sign in with Apple at Work & School, the name and email fields will always be accessible.
Support for OAuth
Both iOS 16 and iPadOS 16 have added support for OAuth 2.0. This allows MDM solutions to implement solutions that support OAuth for user authentication. Enrollment SSO will also work with any SSO technology, including OAuth 2.0.
Corp v/s Personal Data Separation
When users sign in with their Managed Apple ID on iOS/iPad OS 16 or higher devices, the Calendar and Reminder apps will create a second database containing all of the events and metadata for the organization’s calendars. This will allow full data separation for devices enrolled with User Enrollment to secure organizational data.
New Software Update Features
With the new OS, Apple has introduced a new mechanism to ship security fixes to users more frequently.
If we want to configure it manually, then a new priority key can be passed when sending the OS update. Sending this command with a “High” priority key will be similar to a user-initiated update. This is only supported for minor OS updates.
This new mechanism is called Rapid Security Response.
Rapid Security Responses don’t adhere to the managed software update delay; however, because they apply only to the latest minor operating system version if that minor operating system update is delayed, the response is also effectively delayed.
Apple Configurator for iPhone
This is the best feature of iOS 16.
In iOS 16 or iPadOS 16, Administrators, Site Managers (Apple School Manager only), and Device Enrollment Managers can add iPhone and iPad devices to their Apple School Manager, Apple Business Manager, or Apple Business Essentials organization with Apple Configurator for iPhone. To do so, the Setup Assistant must be at the Choose a Wi-Fi Network pane. This can be very useful for users at remote locations where an organization cannot ship hardware.
The process is super simple:
Apple Business Manager now supports the federation of Managed Apple IDs with Google Workspace. “Apple Business Manager and Apple School Manager will also support the ability to configure an “allow list” of apps that Managed Apple IDs can be used to sign in to.
Enrollment Single Sign-On
Enrollment SSO is designed to make the User Enrollment flow faster and easier by reducing the number of sign-ins required during enrollment into MDM. This is accomplished by installing an identity app, then using it to handle repeated authentication during—and after—the enrollment process.
Once the user verifies with managed apple id, the enrollment will be complete.
Managed Device Attestation
Managed Device Attestation uses the Secure Enclave and cryptographic attestations to secure communications by managed devices when connecting to services such as MDM, VPN, and 802.1X.
The MDM server issues a device information query for device information attestation and specifies some new keys. The device obtains an attestation from Apple’s servers and returns it to the MDM server. Then the MDM server evaluates the attestation.
Default Domains & Remote Authentication
Save your users time by using the ManagedAppleIDDefaultDomains key so users will see a suggestion quickly to authenticate. After entering the user name portion of a Managed Apple ID, users can select their account’s domain from a list on the QuickType keyboard.
And, with the new iPadOS 16, the shared iPad will, by default, use the local passcode for existing users on the device, requiring no network connection.
Managing Network Traffic
With the new OS, Apple has also expanded DNS Proxy and Web Content Filter profiles to BYOD devices, which is quite similar to per-app VPN. These profiles can only be installed via MDM. All existing apps that require DNS Proxies or Web Content Filters will still work. However, you cannot mix system-wide and per-app proxies.
There are many more interesting features in the new Apple Operating System, but it won’t be possible to cover them all in this post. There will be a few more posts covering these features in much more detail. Till then, be #mempowered & enjoy #membeer. Stay In(tuned).