WWDC2024: Apple Device Management made easier!

Who would have thought it was possible? Apple just got smarter!

But don’t just take my word for it.

During the WWDC2024 keynote, Apple CEO Tim Cook unveiled Apple Intelligence, an avant-garde personal intelligence system. This clever blend of generative models and user-specific context now powers iPhone, iPad, and Mac, delivering intelligence that’s incredibly handy and much more relevant.

WWDC2024 was a testament to Apple’s unwavering dedication to innovation and user-centric design. The event introduced updates that not only enhance user experiences but also elevate device management capabilities for businesses and organizations. Apple reinforced its leadership in integrating cutting-edge technology, prioritizing sustainability, and advancing privacy and security standards across its ecosystem of devices and services.

Apple also unleashed its latest advancement, visionOS 2, a revolutionary update that empowers new ways to interact with Apple Vision Pro. With exciting updates for iOS 18, iPadOS 18, macOS Sequoia, and watchOS 11 right around the corner, Apple has also made significant updates in device management.

But what exactly is new in device management?

Apple Kickstarted WWDC2024 with device management advancements in Apple services.

As we know, Apple Business Manager/Apple School Manager are free web-based portals that are a great ally to third-party MDM solutions. Together, they streamline device deployment, inventory management, app purchases in volume, and user account management. In other words, they make IT admins’ jobs stress-free.

Automated Device Enrollment

The ability to manage devices without physical contact was a game-changer. And now, things just got even more exciting. With Vision 2.0, users automate enrolling Apple Vision Pro like any other Apple device.

VisionOS MDM Enrollment

Apple Vision Pro can be enrolled using two other methods: Device Enrollment and User Enrollment. Enrolling devices through these methods is as easy as signing in with a managed Apple account. And voila!

Enrolling with a Managed Apple Account, either through Device Enrollment or User Enrollment, enables Data Separation in iCloud Drive, Notes, Reminders, and other apps. It also supports configuring settings and deploying apps using the same process as iPhone and iPad.

(While VisionOS 1.1 supports only device and user enrollment, Vision 2.0 also supports automated device enrollment.)

Enhanced Security with macOS 15

macOS 15 now supports WebAuthN for secure web authentication. Using public key cryptography with ASWebAuthenticationSession simplifies and secures device enrollment. It includes support for security keys and Passkeys, making it ideal for highly regulated industries.

Now, macOS has incorporated the Welcome Key and Skip key, originally native to iOS platforms, enhancing the overall user experience with streamlined functionality.

Activation Lock

Activation Lock on Apple devices is automatically activated when Find My device is enabled. This prevents unauthorized access to devices when wiped. In certain cases, users leave the Activation lock turned on, complicating reprovisioning devices. IT admins can now easily turn off Activation locks for both organization and user-activated locks through Apple Business Manager.

Moving on to Identity management updates of WWDC2024!

Managed Apple Accounts help organizations own both the account and the data within. In recent years, Apple introduced significant updates to Managed Accounts by adding iCloud support to a wide range of Apple apps and services like Continuity, Developer tools, and Passkeys.

This year, Apple made it easier to adopt Managed Apple Accounts by streamlining the domain capture process and providing more options to ensure all accounts are using your organization’s domain.

Domain Capture

Apple requires verification of domain when creating a new Managed Apple Account. But, without an identity provider that blocks or captures unmanaged accounts, personal Apple accounts can still access the domain and remain unmanaged.

In the latest update, IT admins can limit access to Managed Apple Accounts. They can also capture unmanaged Apple accounts that use their domain without having to connect to an Identity provider. Most users create these captured accounts just for work.

Apple now grants users the option to:

• Choose a different email address, freeing up the account name to be reused.
• Convert their unmanaged Apple accounts into managed ones. And automatically add them to the organization.

(Note: If users take no action within the next 30 days, the account remains a personal account and will be renamed automatically.)

Patch Management Updates

Building on last year’s managed software update, Apple has now announced its new integration at WWDC2024: a new software update settings configuration, DDM, into patch management.

Declarative device management aims to replace the MDM profiles for software update restrictions, settings, commands, and queries. The declaration manages all aspects of software updates, including Beta updates and notification behaviors, and is available on supervised devices with iOS 18, iPadOS 18, and macOS 15 or later.

• Notification Behavior: Admins can now adjust notification behavior to show alerts only one hour before enforcement times and the restart countdown.
• Beta Updates Management: It’s easier to manage participation in public or AppleSeed. Admins can control the deployment of beta updates, ensuring that only authorized devices gain access to the pre-release versions.

Beta Programs

Beta programs grant selected users early access to exclusive software updates. With the help of DDM, enrolling and managing devices in beta testing programs now requires minimal admin intervention.

With DDM,

• Devices can enroll in multiple beta programs using organization tokens without needing users to sign in with an Apple account.
• Beta programs can be set up during Automated Device Enrollment in Set-up Assistant, starting with iOS and iPadOS 17.5 and macOS 14.5.
• Subsequent beta updates are available to enrolled devices, allowing admins to enroll different devices in different beta programs.
• Admins can enforce or defer beta releases like any other software updates on supervised devices.
• Declarative status reports provide organizations with the ability to track beta program enrollments on managed devices.

The shift towards declarative management automates hands-on tasks and allows updates to roll out smoothly without significantly impacting user productivity. This helps IT admins to redirect their focus to other critical tasks. The integration with Declarative Device Management (DDM) ensures devices remain compliant with minimal effort from IT admins.

Safari Management

Safari, an Apple-specific browser known for its battery efficiency and industry-leading speed, is now better than ever. With the latest ability to configure network extensions, IT admins can:

• Define which extensions are allowed.
• Control whether an extension remains always on or off.
• Configure and manage extension access by domain and sub-domain for controlled browsing.
• All these configurations apply to Private Browsing mode as well.

That concludes the updates in Apple services.

Now, let’s explore the platform-specific updates introduced by Apple at WWDC2024.

Mac Management

Apple reintroduced Mac management with advanced capabilities at this year’s WWDC2024, empowering IT admins with greater control over device configurations and security protocols.

Configuration Files

Mac devices now support existing service configuration files such as sudo, PAM, and SSH in executable files, delivered in zip archive format. It creates a tamper-free environment to install IT management tools and other scripts. Additionally, launchd configuration files can run as controlled background tasks, drastically improving efficiency.

Disk Management

With Apple’s latest disk management configuration, IT admins can manage external and network storage. Admins can now decide whether to allow or disallow external and network storage entirely or restrict to read-only volumes.

Platform Single Sign-on

Platform SSO has now extended access to information in IDP to unlock FireVault. IDP authentication is also required for the login window and lock screen. Users can unlock their screensaver with “Allow Touch ID” and “Watch for Unlock.”

With enhanced security using HPKE, convenience is also boosted by extending the offline grace period for devices facing network issues.

iOS and iPadOS management

Apple introduced groundbreaking enhancements to iOS and iPadOS management at WWDC2024, emphasizing security, usability, and customization.

Cellular Updates

New restrictions methods now prevent eSIM deletion:

• Force Preserve eSIM: Prevents eSIM removal when the device is erased locally.
• Allow eSIM Outgoing Transfers: Controls eSIM transfers to newly set-up devices.

Additionally, users can now touch and hold a QR code or click on a link to set up eSIM on a device they’re configuring, making it easier than ever to set up their own devices.

After configuring the applications, for both network slicing and per-app, all traffic from the managed app will route to the identified 5G network slice while still benefiting from the VPN.

iOS and iPadOS 18 will support multiple Private Cellular Network payloads, allowing configurations of up to five private 5G or LTE networks.

Hide or Lock Apps

Apple allows users to hide or lock apps using Face ID, Touch ID, or a passcode.

Specifically, on a supervised device, organizations can lock and hide all apps at once or selectively on a per-app basis.

However,

• Restricting the ability to lock an app will also limit the ability to hide it.
• Hidden managed apps in user enrollment and Hidden apps in device enrollment will remain visible to MDM.

Stolen Device Protection

Apple now delays critical operations by an hour in unfamiliar locations. This layer prevents intruders from performing actions such as enrolling in MDM, manually adding an Exchange account, and manually installing passcode declarations or Exchange payloads.

(Note: In iOS 18, newly set-up devices with no familiar locations are exempted, allowing a 3-hour window after activation of Stolen Device Protection to enroll in an MDM)

Trust In-House Apps

New to iOS and iPadOS 18, installations of any proprietary in-house applications require a device restart, in addition to trusting the identity in Settings. Each new team ID will necessitate one device restart.

However, any team identities trusted before upgrading to iOS and iPadOS 18 will be migrated without requiring a restart if the app using that identity remains installed.

Is that all from WWDC2024? Not at all!

Advancements in the device management world keep rolling in. There’s always more to come.

Stay tuned for further updates on device management and WWDC2024! For more insightful articles, check out our latest blogs here.