Eugene Raynor

WWDC23 for IT admins – What’s new in Apple device management

Eugene Raynor

Jun 7, 2023

7 min read

Another year, another WWDC.

As expected, new versions of Apple operating systems for macOS, iOS, iPadOS, watchOS and tvOS were introduced, along with a slew of new features and innovative technology. All-in-all, a typical WWDC event that we’ve come to familiarity with from the previous years…

…Is how I had planned this blog would go. However, the folks at Apple had other ideas.

WWDC23 – Highlights from the opening keynote

Not only did this year’s WWDC23 keynote offer up an opportunity for viewers to size up the new updates to the above-mentioned device platforms, more importantly, today (June 5th, 2023) shall go down as the day Apple finally unveiled its first major new product in eight years – The Apple Vision Pro headset (Apple’s first-ever spatial computer). A mind-blowing and potentially historical piece of hardware.

“It’s the first Apple product you look through and not at,”

– Apple CEO Tim Cook, at WWDC23

Moving on, the keynote also saw Apple unveil new versions for their existing products, including:

  • The new 15-inch MacBook Air
  • The new Mac Studio and Mac Pro

Along with updates for,

  • iOS 17
  • iPadOS 17
  • tvOS 17
  • watchOS 10
  • macOS Sonoma
  • 2nd generation AirPods Pro

However, for IT admins, this is simply partial information. The essential question that needs answering is this:

What changes can we expect in Apple device management?

The short answer? A lot. A lot of changes.

With WWDC23 taking place from June 6th all the way till June 9th, there are numerous changes that must be thoroughly discussed in detail, and more blogs will follow for each key update.

However, for the sake of simplicity, this particular blog shall provide a quick and concise overview on some of the key new features and updates unveiled at WWDC23, pertaining to Apple device management.

Let’s take a look.

1: Updates to Apple’s Automated Device Enrollment

Automated Device Enrollment has been around for a while now. It’s a service that comes bundled with Apple Business Manager, and Apple School Manager, that assists in providing a seamless device enrollment and setup experience for end-users.

With Apple’s update to ADE for macOS 14.0 (Sonoma) devices and above, organizations can now ensure that specific security configurations are pre-set on the Mac before the device is enrolled and users log in for the first time. This includes:

  • Ensuring FileVault enablement right during Setup Assistant. Admins can also choose to show the FileVault recovery key during the Setup Assistant process or escrow it to the MDM/UEM solution.
  • Ensuring the device is on a specific operating system version before enrollment. If the minimum OS version is not met, the user will be guided through a system update process before enrollment.
  • Enforcing safeguards to ensure the user completes Automated Device Enrollment process once connected to a network. In the current workflow, the enrollment process can be skipped if the Mac is not connected to a network during the initial setup. With the new update, the user will be given two options: either to continue the enrollment, or to temporarily skip the enrollment. Choosing the latter will give the user eight hours before they’re forced to enroll in the MDM/UEM.

2: Updates to Platform Single Sign-On

Previously in macOS Ventura, Platform Single Sign-On made it possible to authenticate users with their Identity Provider (IdP) credentials, enabling the users to get access to their respective services.

With the new update, users can repair their registration or reauthenticate with the Identity Provider directly from the System Settings menu. 

Moreover, Platform SSO now also supports on-demand creation of a local user account on the Mac during authentication of a new user with the organization’s IdP. However, there are some pre-requisites: 

  • The Mac must be able to connect to the IdP.  
  • The Mac must be at login window with FileVault unlocked.  
  • The MDM/UEM solution must support Bootstrap Tokens. (P.S, we do 🙂) 

Furthermore, IdP groups can be created and assigned with user permissions (standard user permissions, administrator privileges, or permissions defined by the group membership.) 

3: Streamline student and teacher sign-ins on iPads with Managed Apple ID

Apple has made the sign-in process on student and teacher iPads simpler. With the new update, teachers can initiate the sign-in flow by bringing the student and teacher iPads in close proximity. A sign-in proximity card opens up on the teacher’s device, which on interacting with, turns into a camera scan on the teacher’s iPad, and a particle cloud on the student’s iPad. The teacher can then scan the particle cloud and assign the device to the respective student. 

Here too, there are some pre-requisites: 

  • The teacher and student must belong to the same Apple School Manager location. 
  • Both devices must be in physical proximity to each other.  
  • If the student is using a personal device, they must authorize the teacher to enable this functionality. 

4: Return to Service for iOS and iPadOS

This new update automates the process of having a disenrolled device (a device that was removed from an MDM/UEM server) ready for deployment and automatically enrolled. 

In the current workflow, once a device is disenrolled, an IT admin must physically configure the device for it to be re-enrolled to the MDM/UEM server. 

However, with the new Return to Service feature for iOS and iPadOS, the ‘Erase’ command sent by the MDM/UEM server can be configured to include additional information, which enables the device to automatically reset, securely erase all data, connect to Wi-Fi, and automatically enroll into the MDM/UEM server, ready to be used. 

5: Updates to Password management

Passwords are an essential part of ensuring endpoint security, and consequently some businesses may have more complex password requirements. 

This update brings about support for using regular expressions when defining password policies. Moreover, for macOS 14 and above, the way password compliance is communicated has been updated, such that on instance of password non-compliance, a notification will be displayed to the end-user. If the user decides to change the password at a later time, the same notification will be shown every time the user logs in until the password is compliant. 

6: Updates to Mac restrictions

In the current workflow, during cases where organizations were required to restrict the settings users could configure on a Mac, entire panes were hidden to fulfill this requirement. 

With the introduction of System Settings on macOS 14, admins can customize the restrictions in order to implement a granular management approach. 

7: Managed Device Attestation is now available on macOS

Managed device attestation is now coming to macOS. Managed Device Attestation in essence, ensures that genuine devices can access resources reliably while preventing potential access attempts from attackers. Check out the following blog for more information on how Managed Device attestation works. 

What is Managed Device Attestation for iOS, iPad and tvOS?

8: Updates to Apple configurator for iPhone

Apple Configurator for iPhone has been used by many IT admins to add devices to their instances of ABM or ASM. Previously, performing this action was a two-step process. 

  1. The device should be added to the organization. 
  2. The device must be assigned to the MDM server. 

With the new update, users can now automatically assign each device to an MDM server right in Apple Configurator. 

9: Introducing Shortcuts on Apple configurator for Mac

Apple has now provided the option for users to automate Apple Configurator workflows with the help of Shortcut actions. Admins can set up custom Shortcut actions to update, restore, erase, and prepare iPhone and iPad devices. These shortcuts can be triggered to run when a device attaches or detaches. 

Is there more?

Yes. There are still a lot more updates and features pertaining to Apple Device Management that will potentially be discussed in the upcoming sessions at WWDC23. Here are some of the forthcoming sessions:

We shall update this blog with more information as it comes by. As always, stay tuned for more blogs and updates here.

Share
Eugene Raynor

Seeking what's there lurking over the horizon.

Share your thoughts