This year's Apple Worldwide Developers Conference (WWDC2023) was marked by numerous groundbreaking announcements. Yet, amid the buzz about the new Apple Vision Pro, iOS/iPad OS 17, macOS Sonoma, and app updates, Apple's leap into next-level device management is an understatement. A significant shift from traditional management paradigms, this advancement is set to redefine the way we interact with and manage our Apple devices.
I have divided this into three parts for simplicity and better understanding. In this first part, I have covered the major announcements with macOS & iOS/iPadOS management.
Apple's Device Management Evolution
Apple has constantly improved its device management approach over the past years. The tech giant has constantly streamlined the user experience while granting more control over individual devices, from iCloud backups to Family Sharing. The adjustments made public at WWDC 2023, however, go beyond that; they take a comprehensive, user-centered strategy that seamlessly ties into Apple's ecosystem.
Here is a summary of the device management-related WWDC announcements made by Apple. In the next weeks and months, I'll be delving deeper into many of these subjects.
Awesome New Device Management Features in macOS 14
Apple's new features aim to streamline user enrollment and setup while maintaining robust security measures. This year, Apple has refined the Automated Device Enrollment process. Beginning with FileVault, macOS Sonoma will now allow MDM to necessitate FileVault activation during the Setup Assistant phase. As an Intune admin, we will have the option to display the FileVault recovery key during Setup Assistant or alternatively escrow it to Intune.
Moreover, as an Intune admin, you will now be able to enforce the device to be on a specific operating system version in order to enroll. This will ensure that devices are using the required OS version before being operational. If a higher OS version is required, users will be guided through an automatic update process for their Mac, which will then restart automatically. After completion, the Mac returns to the Setup Assistant, and users can conclude the enrollment and setup process.
Apple has also implemented safeguards to confirm that the user completes the Automated Device Enrollment as soon as network connectivity is established. This allows you to postpone enrollment by 8 hours with a “not now” capability.
Coming to the most awaited feature - Platform Single Sign-On (SSO), Apple unveiled several exciting enhancements for macOS 14 to platform SSO, such as:
- The introduction of a fresh menu item within System Settings. This enables users to register their device or user account for utilization with SSO.
- The capability for users, with accounts managed by an organizational identity provider or smart cards, to create local user accounts.
- Refreshing group memberships at the moment of authentication with the identity provider.
- The ability to fulfill authorization prompts using Identity Provider (IdP) user accounts that don't exist locally.
Some other impressive features announced were:
- Password policies can now be delivered as regular expressions if needed and password change notification prompts occur at every logon.
- System Settings management can now prevent several settings modifications at a granular level.
- Managed Device Attestation is NOW on macOS
Below is the snapshot of all the changes coming to macOS management.
The Latest Developments in iOS/iPadOS Management
For iOS & iPadOS - "Return to Service" is one of the major announcements and it will definitely be a game changer. Let's understand more about this.
In the case of supervised device deployment scenarios, devices are frequently passed from one user to another. Although remote device wipe is possible, re-engagement of these devices has always necessitated a manual process, including physical interaction with the device and navigation through the Setup Assistant.
The introduction of a new feature called Return to Service for iOS and iPadOS, will eliminate this extra manual step.
Here's how it operates: From Intune, you send an Erase command to the device. The command includes additional information which allows the device to reset, securely erase all data, connect to Wi-Fi, enroll into MDM, and get back to the Home Screen, ready to be used.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>DisallowProximitySetup</key> <false/> <key>PreserveDataPlan</key> <true/> <key>RequestType</key> <string>EraseDevice</string> </dict> <key>CommandUUID</key> <string>0001_EraseDevice</string> </dict> </plist>
To implement this behavior, an additional dictionary can be added to the EraseDevice command. This dictionary needs to include the profile of a Wi-Fi configuration to allow the device to connect, once erased.
EraseDeviceCommand.Command.ReturnToService -> Enabled - boolean -> MDMProfileData - data -> MDMProfileData - data
As an alternative, the device can also connect to the Internet by different means, like a tethered connection. Secondly, the dictionary should include a profile with the necessary enrollment information.
Other features are:
- Shared iPads will now support “AwaitUserConfiguration” key.
- SkipLanguageAndLocaleSetupforNewUsers during the setup wizard
- Configuring a quote for temp users on the Shared iPad
Snapshot of upcoming changes to iOS & iPadOS
To be continued...
It's indeed a challenge to postpone discussing other thrilling topics, like Apple Watch management, declarative device management, managed Apple IDs, and passkeys. However, the sheer volume of exhilarating content warrants this delay.
Till then happy learning.