At last week’s WWDC, Apple released a number of changes that affect overall device management or apply to declarative management used on individual devices. Here’s a summary of the changes and why they’re important.
by Ryan Faas
As expected, at WWDC Apple announced a number of significant changes to the way Macs, iPads, iPhones and Apple TVs are handled in business and education environments. These changes fall into two groups: those that affect overall device management and those that apply to declarative management (a new type of device management introduced by Apple last year in iOS 15).
It is important to look at each group separately to better understand the changes.
How did Apple change global device management?
The Apple Configurator for iPhone has undergone significant expansion. This has long been a manual method of enrolling iPhones and iPads into management, rather than using automated or self-enrollment tools. The tool originally bundled as a Mac app could set up devices, but it had a major drawback: devices had to be connected via USB to the Mac running the app. This had obvious time and labor implications for anything other than a small environment.
Last year, Apple introduced an iPhone version of Configurator that reversed the workflow of the original, meaning an iPhone version of the app could be used wirelessly to enroll Macs into management. It was primarily used to enroll Macs that were purchased outside of Apple’s Business/Education channel into Apple Business Manager (Apple products purchased through the channel can be self-enrolled with a zero-touch setup).
The iPhone incarnation is incredibly simple. During the setup process, you point an iPhone camera at an animation on your Mac screen (like pairing an Apple Watch) and it triggers the enrollment process.
The big change this year is that Apple has extended the use of Apple Configurator for iPhone to support enrollment on both iPad and iPhone using the same process, eliminating the need to connect devices to a Mac. . This greatly reduces the time and effort required to enroll these devices. There is one caveat: Devices that require cellular activation or have been locked will need this activation done manually before the configurator can be used.
Apple has made useful changes to managing identities in enterprise environments. Most importantly, it now supports additional identity providers, including Google Workspace and Oauth 2, enabling an expanded set of providers. (Azure AD was already supported.) These identity providers can be used in conjunction with Apple Business Manager to generate Managed Apple IDs for employees.
The company also announced that support for single sign-on registration across its platforms will roll out after macOS Ventura and iOS/iPadOS16 arrive this fall. The goal here is to make user registration easier and more streamlined by requiring users to authenticate only once. Apple also announced the Single Sign-On Platform, an effort to expand and simplify access to enterprise apps and websites each time they authenticate on their device(s).
User managed network
Apple has long had per-app VPN features, which only allow specific companies or work apps to use an active VPN connection. This applies to VPN security, but limits the VPN load by only sending application-specific traffic over a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple adds per-app DNS proxy and per-app web content filtering. This secures traffic for specific apps and functions in the same way as a per-app VPN. And it does not require changes to the applications themselves. DNS Proxy supports system-wide or per-application options, while content filtering supports system-wide or up to seven instances per application.
For iPhones that support eSIMs, Apple allows mobile device management (MDM) software to set up and provision an eSIM. This may include provisioning a new device, migrating carriers, using multiple carriers, or setting up for travel and roaming.
Manage accessibility settings
Apple is well known for its wide range of accessibility features for people with special needs. In fact, many people without special needs also use many of these features. In iOS/iPadOS 16, Apple allows MDM to automatically configure a handful of the most common features, including: text size, voiceover, zoom, touch adaptations, bold text, motion reduction, increase in contrast and reduction in transparency. It will be a welcome tool in areas such as special education or hospital and healthcare situations where devices may be shared among users with special needs.
What’s new in Apple’s declarative management process?
Apple unveiled declarative management last year as an improvement over its original MDM protocol. Its great advantage is that it moves much of the business logic, compliance and management of the MDM service to each device. As a result, devices can proactively monitor their status. This eliminates the need for the MDM service to constantly poll for your device’s status and then issue commands in response. Instead, devices make these changes based on their current state and statements sent to them and report them to the service.
Declarative management is based on declarations that contain things like activations and configurations. An advantage is that a statement can include multiple configurations, as well as activations that indicate when or if the configuration should be activated. This means that a single statement can include all settings for all users, as well as activations that tell which users to apply for. This reduces the need for large sets of different configurations, as the device itself can determine which ones should be enabled for the device due to its user.
This year, Apple has expanded the areas where declarative management can be used. Initially, it was only available on iOS/iPadOS 15 devices that leveraged user registration. Going forward, all Apple devices running MacOS Ventura or iOS/iPadOS/tvOS 16 will be supported, regardless of your subscription type. This means that device enrollment (including supervised devices) is supported at all levels, as is Shared iPad (a type of enrollment that allows multiple users to share the same iPad, each with their own configuration and its own files).
The company has made it clear that declarative management is the future of Apple device management and any new management features will only be implemented in the declarative model. Although traditional MDM has been available for a while, it is outdated and will eventually be reformed.
This has major implications for devices already in use. Devices that cannot run MacOS Ventura or iOS/iPadOS 16 will eventually be retired, and those that remain in service will need to be replaced. Given the range of devices that are no longer supported, this could mean a costly transition for some organizations. Although it won’t be immediate, you need to start figuring out how big and expensive the transition will be and how you’ll manage it (particularly as it will likely require a transition to Apple Silicon, which doesn’t support the ability to run Windows or Windows applications, in process. ).
In addition to expanding the products that can use declarative management, Apple has also expanded its functionality, including support for setting up passcodes, enterprise accounts, and installing apps managed by RMD.
The password option is more complex than simply requiring a password of a certain type. Password compliance is traditionally required for certain security-related configurations, such as sending the corporate Wi-Fi configuration to a device. In the declarative model, these parameters can be sent to the device before a password is set. They are sent with the password requirement and include an activation that will only activate it when the user creates a password that complies with this policy. After the user sets a password, the device detects the change and activates the multi-login Wi-Fi configuration to the MDM service, immediately activating the Wi-Fi and notifying the service that it has been activated.
Accounts – which can include things like mail, notes, calendar, and subscribed calendars – work the same way. A statement can specify all supported account types within the organization, as well as all subscribed calendars. The device will then determine – based on the user’s account and role(s) within the organization – activation and activation.
Installing the MDM application is the most important addition to declarative management, because installing the application is one of the tasks that loads an MDM the most and the biggest bottleneck during mass device activations. A statement can specify all potential applications to be installed and sent to a device upon activation, even before it has been delivered to its user. Again, the device will determine which app installation settings to enable and make available, depending on the user. This avoids each device having to repeatedly query the service and download apps and their settings. It also simplifies and speeds up the process of enabling (or disabling) apps if a user’s role changes.
These are significant improvements and it’s easy to see why these are the first additions to declarative management after its initial implementation. There are still MDM features that haven’t made the leap to declarative use yet, but it’s obvious that they will eventually, perhaps as early as next year.
This is one of WWDC’s biggest announcements for business and it’s good to see that Apple put some thought into it when deciding which features to add or update as most of them deal with difficult, time-consuming, resource-consuming or boring domains. Apple not only meets the needs of business customers, it also demonstrates that it understands those needs.