Jul 02, 2023

WWDC: What’s new for enterprise admins and device management?

By Jonny Evans, Computerworld |

Appleholic, (noun), æp·əl-hɑl·ɪk: An imaginative person who thinks about what Apple is doing, why and where it is going. Delivering popular Apple-related news, advice and entertainment since 1999.

Apple Silicon, new Macs and the new Vision Pro were the hardware stars at this week's WWDC 2023, but IT professionals should know what's new to make their lives easier and help them manage devices more effectively. Here's a brief survey of the important changes identified so far.

But first, consider this. With rapidly the advancing use of its products across the enterprise, Cupertino understands the biggest concerns for mass Apple device deployments, such as administration, management, and security.

With that in mind, it's no surprise to find at WWDC the company is following its market. Even the introduction of MDM for Apple Watch reflects a trend across some firms to use those devices in interesting new ways, such as how that's done at Volvo.

These become more versatile this year with updates to Continuity, Apple Wallet, and iCloud Keychain. Administrators also gain additional control to encourage users to sign into the apps and services they need. Managed Apple IDs can also be used in more situations, such as when enrolling a device in order to keep personal and work data separated.

Apple School Manager (ASM) and Apple Business Manager (ABM) already support federated identity systems such as Okta, Azure, OAuth, and Workspace. This year, OpenID Connect support is added to the mix, which will make life a lot easier for companies seeking to coalesce multiple platforms around one identity authorization service.

Another useful improvement in Managed IDs is the addition of iCloud Keychain support. This lets IT deploy passcodes and passkeys automatically to managed devices and should be a good step forward toward a password-free enterprise. This builds on the ability, also announced at WWDC 2023, for groups of users to add and edit passwords and passkeys, so everyone in the group can keep up to date.

Apple put a lot of work into Declarative device management this year. Improvements it discussed at the show include new ways to deploy apps, certificates, and on macOS even manage common service configuration files.

In a move that will be welcomed in many quarters, IT administrators can now enforce software updates to specific deadlines with improved user transparency.

Another improvement means administrators can use MDM to manage and install multiple versions of an application on Macs.

Many organizations want to ensure certain security configurations are in place even before the Mac is enrolled and the user logs in for the first time. They may want FileVault enabled and for the Mac to be running a specific OS version. Apple at WWDC announced the following improvements:

macOS 14 allows MDM to require FileVault enablement during Setup Assistant. The recovery key can then be shared with the end user during setup or managed by the MDM system.

MDM can require the device to be on a specific operating system version in order to enroll, which means a user can't access company services until they update. This works using JSON to inform MDM of the OS a device is running. If a new version is required, the user will be guided through the update process.

At present, when a user attempts to set up a Mac that is not connected to a network, the MDM enrollment is skipped and the user is asked to enroll the machine. (That's because setup relies in part on JSON calls to the authorization and MDM servers.)

Apple has changed this. First, the Setup Assistant occupies the whole screen and gives users a choice when setting up the Mac: Enroll the Mac immediately, or "Not Now," which gives an eight-hour reprieve before being required to do so.

This helps ensure Macs are enrolled in MDM and that data doesn't too easily stray outside the managed device perimeter.

macOS Ventura made it possible for users to authenticate once with an account from the organization's Identity Provider and get access to all their approved services. macOS Sonoma extends this with handy tools to let you repair or reauthenticate registration and/or on-demand creation of a local account in which the user signs in with their identity credential or SmartCard to create/authenticate an account.

Apple has made a few changes here. One of these involves stronger Password Compliance management, which means weak passwords will be flagged, and continued use of a weak password will see the user informed and advised to change it. Another change sees new restrictions in place to prevent users of managed devices from modifying Apple ID Logins and Internet Accounts or adding local user accounts.

Apple introduced Managed Device Attestation for iOS in 2022. The idea is that once the system is put in place, it helps ensure only legitimate devices can access enterprise resources. That protection is now also available on Macs. Apple has also extended the system, so it monitors more system elements (such as device ID or OS version), which adds additional layers of security for systems protected by Managed Device Attestation.

Many companies and schools see a relatively rapid turnover of device use. An iPad may pass through multiple users in a month or week. While deletion of old data from the device is relatively easy, set up had to be done manually. Return to Service automates some of these steps, so the device is not only erased, but also reset, enrolled into MDM, and connected to Wi-Fi so it is ready for immediate use once the next person grabs it.

A growing number of enterprises are adopting private 5G and LTE networks. These support the kind of service levels and latency next-generation enterprise technologies require, or to provide network connectivity across larger areas than Wi-Fi supports.

iPads already supported private LTE and 5G networks, including with MDM-based eSIM deployment. That capacity is now coming to iPhones, as is support for private standalone 5G networks. Apple's support is quite significant, as the company has also figured out how to make use of such networks more power efficient; SIM-based support is only enabled when needed, thanks to geolocation. Apple also introduced 5G network slicing support, which is an up-and-coming tech designed to efficiently manage the emerging demands of connected services and devices.

Apple has also introduced a new way to deliver secure access to enterprise network resources: relays. Natively supported on Apple devices, these are secure proxies the company says provide a better user experience and are easier to manage than traditional VPN services. They can also be configured using MDM.

Apple Configurator for iPhone is a tool widely used by IT to add devices to ASM or ABM. The change is that users can now assign their own device to an MDM server from within Configurator. They get three choices: Don't assign; assign to default MDM server; or assign to a selected MDM server belonging to the company. When a user signs in with their Managed Apple ID, they will be presented with a list of the MDM servers available for them and their device.

Apple has built a batch of Shortcuts for Apple Configurator. These include shortcuts to update, restore, erase, and prepare iPhones and iPads. At WWDC, Apple demonstrated one use of these in which a series of shortcuts were used to setup and provision an iPad. Apple is urging MDM developers to integrate with these Shortcuts, so it seems pretty clear it intends automating as much of the setup and management process as it can.

Please follow me on Mastodon, or join me in the AppleHolic's bar & grill and Apple Discussions groups on MeWe.

Jonny is a freelance writer who has been writing (mainly about Apple and technology) since 1999.

Copyright © 2023 IDG Communications, Inc.

Managed Apple IDs Federated Identity iCloud Keychain Declarative device management Software Update Automated Device Enrolment on Macs Making sure Macs get enrolled User authentication and Single Sign-On (SSO) Password and System Preferences management Managed Device Attestation Return to Service 5G network slicing and private networks Relays Apple Configurator Shortcuts comes to IT