intune macOS ios

WWDC 2023: Apple's Leap into Next-Level Device Management - Part 1

This year's WWDC2023 was marked by numerous groundbreaking announcements. Yet, amid the buzz about the new Apple Vision Pro, iOS/iPadOS 17, macOS Sonoma, and app updates, Apple's leap into next-level device management is an understatement.

5 min read
WWDC 2023: Apple's Leap into Next-Level Device Management - Part 1

This year's Apple Worldwide Developers Conference (WWDC2023) was marked by numerous groundbreaking announcements. Yet, amid the buzz about the new Apple Vision Pro, iOS/iPad OS 17, macOS Sonoma, and app updates, Apple's leap into next-level device management is an understatement. A significant shift from traditional management paradigms, this advancement is set to redefine the way we interact with and manage our Apple devices.

I have divided this into three parts for simplicity and better understanding. In this first part, I have covered the major announcements with macOS & iOS/iPadOS management.


Apple's Device Management Evolution

Apple has constantly improved its device management approach over the past years. The tech giant has constantly streamlined the user experience while granting more control over individual devices, from iCloud backups to Family Sharing. The adjustments made public at WWDC 2023, however, go beyond that; they take a comprehensive, user-centered strategy that seamlessly ties into Apple's ecosystem.

Here is a summary of the device management-related WWDC announcements made by Apple. In the next weeks and months, I'll be delving deeper into many of these subjects.

Awesome New Device Management Features in macOS 14

Apple's new features aim to streamline user enrollment and setup while maintaining robust security measures. This year, Apple has refined the Automated Device Enrollment process. Beginning with FileVault, macOS Sonoma will now allow MDM to necessitate FileVault activation during the Setup Assistant phase. As an Intune admin, we will have the option to display the FileVault recovery key during Setup Assistant or alternatively escrow it to Intune.

Moreover, as an Intune admin, you will now be able to enforce the device to be on a specific operating system version in order to enroll. This will ensure that devices are using the required OS version before being operational. If a higher OS version is required, users will be guided through an automatic update process for their Mac, which will then restart automatically. After completion, the Mac returns to the Setup Assistant, and users can conclude the enrollment and setup process.

Apple has also implemented safeguards to confirm that the user completes the Automated Device Enrollment as soon as network connectivity is established. This allows you to postpone enrollment by 8 hours with a “not now” capability.

Coming to the most awaited feature - Platform Single Sign-On (SSO), Apple unveiled several exciting enhancements for macOS 14 to platform SSO, such as:

Some other impressive features announced were:

Below is the snapshot of all the changes coming to macOS management.


The Latest Developments in iOS/iPadOS Management

For iOS & iPadOS - "Return to Service" is one of the major announcements and it will definitely be a game changer. Let's understand more about this.

In the case of supervised device deployment scenarios, devices are frequently passed from one user to another. Although remote device wipe is possible, re-engagement of these devices has always necessitated a manual process, including physical interaction with the device and navigation through the Setup Assistant.

The introduction of a new feature called Return to Service for iOS and iPadOS, will eliminate this extra manual step.

Return to Service

Here's how it operates: From Intune, you send an Erase command to the device. The command includes additional information which allows the device to reset, securely erase all data, connect to Wi-Fi, enroll into MDM, and get back to the Home Screen, ready to be used.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Command</key>
    <dict>
        <key>DisallowProximitySetup</key>
        <false/>
        <key>PreserveDataPlan</key>
        <true/>
        <key>RequestType</key>
        <string>EraseDevice</string>
    </dict>
    <key>CommandUUID</key>
    <string>0001_EraseDevice</string>
</dict>
</plist>

To implement this behavior, an additional dictionary can be added to the EraseDevice command. This dictionary needs to include the profile of a Wi-Fi configuration to allow the device to connect, once erased.

EraseDeviceCommand.Command.ReturnToService
-> Enabled - boolean
-> MDMProfileData - data
-> MDMProfileData - data

As an alternative, the device can also connect to the Internet by different means, like a tethered connection. Secondly, the dictionary should include a profile with the necessary enrollment information.

Other features are:

Snapshot of upcoming changes to iOS & iPadOS


To be continued...

It's indeed a challenge to postpone discussing other thrilling topics, like Apple Watch management, declarative device management, managed Apple IDs, and passkeys. However, the sheer volume of exhilarating content warrants this delay.

Till then happy learning.

Share This Post

Check out these related posts

Early Bird Gets the Worm: Testing iOS 18 & macOS 15 (Beta) Devices with Intune

Platform SSO for macOS: A Deep Dive into Configuration & Troubleshooting

Application Inventory: The Unsung Hero of macOS Security