At last week’s WWDC, Apple announced a number of changes that affect the overall management of devices or apply to declarative management used on individual devices. Below is a summary of the changes and why they are important.
by Ryan Fass
As expected, at WWDC, Apple announced some major changes to the way Macs, iPads, iPhones, and Apple TV are managed in business and educational settings. These changes fall into two categories: those that affect global device management and those that apply to declarative management, a new type of device management that Apple introduced in iOS 15 last year.
It is important to look at each group individually to better understand the changes.
How is Apple changing global device management?
Apple Configurator for iPhone has been significantly expanded. It has long been a method of manually enrolling iPhones and iPads into management, rather than using automated or self-enrollment tools. The tool, originally released as a Mac application, can configure devices, but it has one major disadvantage: the device must be connected via USB to the Mac on which the application is running. This has obvious time and labor implications for anything other than the niche.
Last year, Apple introduced the iPhone version of Configurator, which reversed the original workflow, meaning the iPhone version of the app could wirelessly enroll Macs into management. It is primarily used to enroll in Apple Business Manager Macs purchased outside of the Apple Business/Education channel (where Apple products purchased through this channel can self-enroll with zero-touch provisioning).
The avatar of the iPhone is very simple. During setup, you point your iPhone camera at an animation on your Mac’s screen (such as pairing an Apple Watch) and trigger the registration process.
The biggest change this year is that Apple has expanded the use of Apple Configurator for iPhone to support enrolling on iPads and iPhones using the same process – eliminating the requirement to connect the device to a Mac. This greatly reduces the time and effort required to register these devices. One caveat: Devices that require cellular activation or that are locked will need to manually complete the activation before using the configurator.
Apple has made beneficial changes to identity management in enterprise environments. Best of all: it now supports additional identity providers, including Google Workspace and Oauth 2, enabling support for a wider set of providers. (Azure AD is already supported.) These identity providers can be used with Apple Business Manager to generate Managed Apple IDs for employees.
The company also announced that it will roll out support for cross-platform single sign-on registration when macOS Ventura and iOS/iPadOS 16 arrive this fall. The goal here is to make user registration easier and more streamlined by requiring users to authenticate only once. Apple also released a single sign-on platform designed to extend and simplify access to corporate applications and websites each time a device is authenticated.
Apple has long had a per-app VPN feature, which only allows specific companies or work-related apps to use an active VPN connection. This works for VPN security, but limits VPN load by only sending application-specific traffic over the VPN connection. In macOS Ventura and iOS/iPadOS 16, Apple is adding per-app DNS proxy and per-app web content filtering. This helps protect traffic for specific apps and features in the same way as per-app VPNs. This does not require changes to the application itself. Proxy DNS supports system-wide or per-application options, while content filtering supports system-wide or up to seven instances per application.
For eSIM-enabled iPhones, Apple enables mobile device management (MDM) software to configure and deliver eSIMs. This can include provisioning new devices, migrating bearers, using multiple bearers, or setting up travel and roaming.
Accessibility Settings Management
Apple is known for its wide range of accessibility features for people with special needs. In fact, many people with no special needs use many of these features. In iOS/iPadOS 16, Apple allows MDM to automatically configure some of the most common features, including: text size, voiceover, zoom, haptic adjustment, bold text, reduce motion, increase contrast, and decrease transparency. In areas such as special education or hospitals and healthcare, this would be a welcome tool to share equipment among users with special needs.
What’s new in Apple’s declarative management process?
Apple introduced declarative management last year as an improvement over its original MDM protocol. Its huge advantage is that it offloads much of the business logic, compliance and management of MDM services onto each device. Therefore, the device can actively monitor its status. This eliminates the need for the MDM service to continuously poll the device status and then issue commands in response. Instead, devices make these changes based on their current state and the statements sent to them, and report them to the service.
Declarative management is based on declarations that include things like activation and configuration. One advantage is that a declaration can include multiple configurations, as well as an activation indicating when or if the configuration should be activated. This means that a single claim can contain all settings for all users, as well as activations indicating which users to apply to. This reduces the need for a large number of different configurations, as the device itself can determine which configurations should be enabled for the device based on its user.
This year, Apple expanded the areas in which declarative management can be used. Initially, it was only available on iOS/iPadOS 15 devices utilizing user enrollment. Going forward, all Apple devices running MacOS Ventura or iOS/iPadOS/tvOS 16 will be supported regardless of your subscription type. This means device enrollment (including supervised devices) is fully supported, as is shared iPad (a type of enrollment that allows multiple users to share the same iPad, each with their own profiles and files).
The company has made it clear that declarative management is the future of device management at Apple, and any new management capabilities will only be implemented in the declarative model. While traditional MDM has been around for a while, it has been deprecated and will eventually be overhauled.
This has major implications for equipment that is already in use. Devices that can’t run MacOS Ventura or iOS/iPadOS 16 will eventually be obsolete, while those still in use will need to be replaced. Given the wide range of devices out of support, this could be a costly transition for some organizations. Although not immediately, you should start to determine the size and cost of the transition and how you will manage it (especially since it may require transitioning to Apple Silicon, which does not support the ability to run Windows or Windows applications, in the process.).
In addition to expanding the products that can use declarative management, Apple has also expanded its capabilities to include support for configuring passwords, enterprise accounts, and installing apps managed by MDM.
Password options are more complex than simply asking for some type of password. Password compliance has traditionally been required for certain security-related configurations, such as sending corporate Wi-Fi configuration to devices. In the declarative model, these settings can be sent to the device before the password is set. They are sent with the password requirement and contain an activation that is only activated when the user creates a password that complies with this policy. Once the user sets the password, the device will detect the change and activate the MDM service’s multi-connection Wi-Fi setting, immediately activating Wi-Fi and notifying that the service is activated.
Accounts – which can include mail, notes, calendars, and subscribed calendars – work in a similar fashion. A declaration can specify all supported account types within the organization, as well as all subscribed calendars. The device will then determine activation and activation based on the user’s account and role within the organization.
MDM application installation is the most important complement to declarative management, as application installation is one of MDM’s most loaded tasks and the biggest bottleneck in the bulk device activation process. Claims can specify all potential applications that are installed on activation and sent to the device, even before it’s delivered to the user. Likewise, the device will determine which application installation settings are enabled and offered based on the user. This prevents each device from repeatedly querying the service and downloading the app and its settings. It also simplifies and speeds up the process of activating (or deactivating) applications if the user’s role changes.
These are significant improvements, and it’s easy to see why they were the first additions of declarative management after the initial implementation. There are still MDM features that haven’t made the leap to declarative usage yet, but it’s clear that eventually — possibly as early as next year — they will.
This is one of WWDC’s most important announcements for businesses, and it’s great to see that Apple has been thoughtful in deciding which features to add or update, as most of them address areas that are difficult, time-consuming, resource-consuming, or boring. Not only is Apple meeting the needs of business customers, but it also shows that it understands those needs.