Another year, another WWDC.
As expected, new versions of Apple operating systems for macOS, iOS, iPadOS, watchOS and tvOS were introduced, along with a slew of new features and innovative technology. All-in-all, a typical WWDC event that we’ve come to familiarity with from the previous years…
…Is how I had planned this blog would go. However, the folks at Apple had other ideas.
- WWDC23 – Highlights from the opening keynote
- What changes can we expect in Apple device management?
- 1: Updates to Apple’s Automated Device Enrollment
- 2: Updates to Platform Single Sign-On
- 3: Streamline student and teacher sign-ins on iPads with Managed Apple ID
- 4: Return to Service for iOS and iPadOS
- 5: Updates to Password management
- 6: Updates to Mac restrictions
- 7: Managed Device Attestation is now available on macOS
- 8: Updates to Apple configurator for iPhone
- 9: Introducing Shortcuts on Apple configurator for Mac
- Is there more?
- Simplify Apple device management
WWDC23 – Highlights from the opening keynote
Not only did this year’s WWDC23 keynote offer up an opportunity for viewers to size up the new updates to the above-mentioned device platforms, more importantly, today (June 5th, 2023) shall go down as the day Apple finally unveiled its first major new product in eight years – The Apple Vision Pro headset (Apple’s first-ever spatial computer). A mind-blowing and potentially historical piece of hardware.
“It’s the first Apple product you look through and not at,”
– Apple CEO Tim Cook, at WWDC23
Moving on, the keynote also saw Apple unveil new versions for their existing products, including:
- The new 15-inch MacBook Air
- The new Mac Studio and Mac Pro
Along with updates for,
- iOS 17
- iPadOS 17
- tvOS 17
- watchOS 10
- macOS Sonoma
- 2nd generation AirPods Pro
However, for IT admins, this is simply partial information. The essential question that needs answering is this:
What changes can we expect in Apple device management?
The short answer? A lot. A lot of changes.
With WWDC23 taking place from June 6th all the way till June 9th, there are numerous changes that must be thoroughly discussed in detail, and more blogs will follow for each key update.
However, for the sake of simplicity, this particular blog shall provide a quick and concise overview on some of the key new features and updates unveiled at WWDC23, pertaining to Apple device management.
Let’s take a look.
1: Updates to Apple’s Automated Device Enrollment
Automated Device Enrollment has been around for a while now. It’s a service that comes bundled with Apple Business Manager, and Apple School Manager, that assists in providing a seamless device enrollment and setup experience for end-users.
With Apple’s update to ADE for macOS 14.0 (Sonoma) devices and above, organizations can now ensure that specific security configurations are pre-set on the Mac before the device is enrolled and users log in for the first time. This includes:
- Ensuring FileVault enablement right during Setup Assistant. Admins can also choose to show the FileVault recovery key during the Setup Assistant process or escrow it to the MDM/UEM solution.
- Ensuring the device is on a specific operating system version before enrollment. If the minimum OS version is not met, the user will be guided through a system update process before enrollment.
- Enforcing safeguards to ensure the user completes Automated Device Enrollment process once connected to a network. In the current workflow, the enrollment process can be skipped if the Mac is not connected to a network during the initial setup. With the new update, the user will be given two options: either to continue the enrollment, or to temporarily skip the enrollment. Choosing the latter will give the user eight hours before they’re forced to enroll in the MDM/UEM.
2: Updates to Platform Single Sign-On
Previously in macOS Ventura, Platform Single Sign-On made it possible to authenticate users with their Identity Provider (IdP) credentials, enabling the users to get access to their respective services.
With the new update, users can repair their registration or reauthenticate with the Identity Provider directly from the System Settings menu.
Moreover, Platform SSO now also supports on-demand creation of a local user account on the Mac during authentication of a new user with the organization’s IdP. However, there are some pre-requisites:
- The Mac must be able to connect to the IdP.
- The Mac must be at login window with FileVault unlocked.
- The MDM/UEM solution must support Bootstrap Tokens. (P.S, we do 🙂)
Furthermore, IdP groups can be created and assigned with user permissions (standard user permissions, administrator privileges, or permissions defined by the group membership.)
3: Streamline student and teacher sign-ins on iPads with Managed Apple ID
Apple has made the sign-in process on student and teacher iPads simpler. With the new update, teachers can initiate the sign-in flow by bringing the student and teacher iPads in close proximity. A sign-in proximity card opens up on the teacher’s device, which on interacting with, turns into a camera scan on the teacher’s iPad, and a particle cloud on the student’s iPad. The teacher can then scan the particle cloud and assign the device to the respective student.
Here too, there are some pre-requisites:
- The teacher and student must belong to the same Apple School Manager location.
- Both devices must be in physical proximity to each other.
- If the student is using a personal device, they must authorize the teacher to enable this functionality.
4: Return to Service for iOS and iPadOS
This new update automates the process of having a disenrolled device (a device that was removed from an MDM/UEM server) ready for deployment and automatically enrolled.
In the current workflow, once a device is disenrolled, an IT admin must physically configure the device for it to be re-enrolled to the MDM/UEM server.
However, with the new Return to Service feature for iOS and iPadOS, the ‘Erase’ command sent by the MDM/UEM server can be configured to include additional information, which enables the device to automatically reset, securely erase all data, connect to Wi-Fi, and automatically enroll into the MDM/UEM server, ready to be used.
5: Updates to Password management
Passwords are an essential part of ensuring endpoint security, and consequently some businesses may have more complex password requirements.
This update brings about support for using regular expressions when defining password policies. Moreover, for macOS 14 and above, the way password compliance is communicated has been updated, such that on instance of password non-compliance, a notification will be displayed to the end-user. If the user decides to change the password at a later time, the same notification will be shown every time the user logs in until the password is compliant.
6: Updates to Mac restrictions
In the current workflow, during cases where organizations were required to restrict the settings users could configure on a Mac, entire panes were hidden to fulfill this requirement.
With the introduction of System Settings on macOS 14, admins can customize the restrictions in order to implement a granular management approach.
7: Managed Device Attestation is now available on macOS
Managed device attestation is now coming to macOS. Managed Device Attestation in essence, ensures that genuine devices can access resources reliably while preventing potential access attempts from attackers. Check out the following blog for more information on how Managed Device attestation works.
8: Updates to Apple configurator for iPhone
Apple Configurator for iPhone has been used by many IT admins to add devices to their instances of ABM or ASM. Previously, performing this action was a two-step process.
- The device should be added to the organization.
- The device must be assigned to the MDM server.
With the new update, users can now automatically assign each device to an MDM server right in Apple Configurator.
9: Introducing Shortcuts on Apple configurator for Mac
Apple has now provided the option for users to automate Apple Configurator workflows with the help of Shortcut actions. Admins can set up custom Shortcut actions to update, restore, erase, and prepare iPhone and iPad devices. These shortcuts can be triggered to run when a device attaches or detaches.
Is there more?
Yes. There are still a lot more updates and features pertaining to Apple Device Management that will potentially be discussed in the upcoming sessions at WWDC23. Here are some of the forthcoming sessions:
- June 7th – Passkeys with iCloud keychain
- June 7th – Updates to Declarative device management
- June 8th – Updates to Managed Apple IDs
- June 9th – Device management for Apple Watch
We shall update this blog with more information as it comes by. As always, stay tuned for more blogs and updates here.
Simplify Apple device management
Use Hexnode to streamline your Apple device management workflows.
GET 14-DAY FREE TRIAL
Share your thoughts