WWDC 2020

01 juli 2020

The Worldwide Developer Conference (WWDC) is a yearly conference form Apple where Apple’s new Operating Systems are announced. This year the Conference is completely virtual due to the Corona measurements.  In this writing we will focus on all the new announcements that are relevant to enterprises. So, the new device and app management capabilities present in iOS 14, iPadOS 14 and macOS 11 (Big Sur). WWDC is a weeklong full of Developer centric sessions. There is still a lot to find for Enterprise Mobility Management in the sessions. The most important sessions for enterprises are:

  • Deploy Apple devices using zero-touch, find the recording here.
  • What’s new in managing Apple devices, find the recording here.
  • Leverage enterprise identity and authentication, find the recording here.
  • If you distribute inhouse applications for iOS of iPadOS this session is recommended: Custom app distribution with Apple Business Manager, find the recording here.

Sessions are around 30 minutes long, clearly explained and very informative, we encourage everybody that manages Apple devices to watch them.

macOS 11 Enterprise features
This year was a big focus on macOS management. A new fast enrollment method for Mac’s called ‘Auto Advance’. You need Apple Business Manager (ABM) or Apple School Manager (ASM) for this. Also you need to use DHCP in your network for Auto Advance to work. The Mac needs to be plugged in to power and connected to Ethernet. Enrollment skips all setup steps and is really quick. This is a great option for enterprises that deploy a large number of devices or push large applications.

For the Mac Pro’s out there a new Feature called Lights Out Management (LOM) is available. You need a macOS server enrolled in MDM that will act as a LOM controller. With the controller you can startup ,shutdown or reboot Mac Pro’s over the network.

User approved enrollment Supervision is now possible for Mac’s. Enrollments via DEP give the option to put the system in supervised mode. Now you are able to supervise a Mac device even if it is enrolled by the user itself (so user-initiated enrollment). Supervised configurations are available like Scheduled software updates. This year the Managed Software update capabilities (before only present for iOS and iPadOS) are included in the Big Sur macOS version. You can force software updates (and let the macOS device restart after), Defer macOS updates and more.

Another step from Apple to bring a fundamental iOS and iPadOS feature to macOS is Managed Mac Apps. When you push an app from your MDM to a Mac the app is flagged as managed (as is already the case for iOS and iPadOS). With this Managed state your MDM is able to remove the app when the device is unenrolled. When the app is already present on the device MDM can convert the app to Managed. And further Managed app configuration will be available.

When you manage macOS devices in your enterprise content caching is recommended. Now the recovery image (user for internet recovery method) can be cached making the process a lot quicker.

And again, an iOS and iPadOS feature is added to macOS Big Sur. Downloaded Profiles were introduced in iOS for non-DEP enrollment scenario’s and is meant to make it more difficult to accidentally install a configuration profile. This feature changed the workflow for enrolling non-DEP devices and made it a little bit less intuitive. This feature is now added in macOS Big Sur.  Picture-> first on the left

On macOS you need to go to the System Preferences (profile remains 8 minutes after which it is automatically removed) and install the profile manually. Also Profile Installation from the Command Line (by using scripts for example) will be treated the same and the user needs to explicitly go to System Preferences and install the profile manual.

iOS 14 and iPadOS 14 Enterprise features
For iOS and iPadOS Apple announced some new management features. There are new skip keys for Getting Started and Update Complete Setup Assistant screens in iOS and iPadOS 14. Also Setup Assistant payloads are now available for iOS and iPadOS 14 (before only available on macOS). When you enroll a device using DEP it gets an enrollment profile that defines the Setup Assistant screens it needs to skip. When new versions of iOS and iPadOS are available new screens are added. You can make those devices aware of the changes and skip the new screens with this Setup Assistant payload. This feature is for all Supervised devices so also devices that use provisional DEP or Apple Configurator to become supervised.

Apple introduced Shared iPads for Business. With the release of iPadOS 13.4 and new features in iPadOS 14 it is possible to create an iPad in shared mode. This is an Apple native solution. Some MDM vendors built their own on top of iOS and iPadOS because there is a lot of demand for this feature, especially in industry and health sector. iPad for Business relies on Apple Business Manager. The accounts you use to login to a Shared iPad are Managed Apple ID’s created in Apple Business Manager. These accounts can be created local in Apple Business Manager but can also be Federated to Azure Active Directory accounts. Each logged in user get its own partition on the local storage and (profile) data for the user is saved in iCloud that belongs to the Managed Apple ID account. It is recommended to use iPads with a lot of storage because of the partitions created – usually pick the higher specked iPad for this purpose. Apple introduced Temporary Sessions for Share iPads. With Temporary Sessions somebody can login to the iPad without a Managed Apple ID and use it during a session (so until sign out).

A new great feature for iOS and iPadOS 14 is non-removable Managed Apps. Apps can be flagged as non-removable and the end user will not able to remove the app from their device. The non-removable Managed App can also not be offloaded and when a user tries to uninstall it alerts the user with a popup stating the app cannot be removed.

Also Apple will introduce the capability for Siri Shortcuts to adhere to Managed Open-in. So if data in Managed applications is used in a Siri Shortcut, where a Managed application is not allowed to share with an Unmanaged application, when a Shortcut us triggered it will display this is a not allowed action. This disables scripting capabilities to circumvent Open-in restrictions.

For iOS and iPadOS, Per-Account VPN is announced. This in contrast to Per-App VPN, a VPN Tunnel can be triggered on the bases of what account is in use for contact, calendar and mail domains. So for example only when using you Enterprise account in the native mail client a Tunnel is triggered and if you switch to your personal account in the Native mail client it will not use the VPN.

Also Apple will make it possible to configure Encrypted DNS queries. iOS and iPadOS devices can already use Secure DNS but it will be possible to configure this from MDM. Besides that when iOS and iPadOS device associate with a WiFi network it will send a randomized mac address. This will make it harder to follow devices. If you use the mac address to allow devices on a network make sure to take this change into consideration. Mac address randomization can be made mandatory from within MDM.

And last but not least, with iOS 14 users can set the default mail and browser app.

General new features and some tips
There is a new Set Timezone MDM command. A way to set the Timezone on your managed devices that does not rely on Location Services.

Apple also announced it will scramble serial numbers of all Apple devices. Up to this point Serial Numbers have identifiable information in them and are structured in batches etc. Apple will start by randomizing the 10-character serial numbers they produce.   Not a new feature because it is introduced with iOS and iPadOS 13.4 and macOS 10.15.4. But Apple announced it as a new feature during WWDC 2020. The feature is that APNs can  be used through a Proxy ,using Proxy Auto-Config (PAC) files. The APNs traffic must remain encrypted and cannot be inspected.

For the Single Sign-on extension, introduced in WWDC 2019 (last year), user-channel profile delivery is announced for macOS and iPad for Business (shared device). User-channel profiles will take priority over system-wide profiles. With the user-channel, settings related to the user can be delivered to the devices and can be used in all Single Sign-on extension modules. So, settings like username on shared devices types can be provided for currently logged-in users. For the Single Sign-on module more features are introduced. Per-app VPN improvements are made specifically for the Single Sign-on module. Now associated domains in the Single Sign-on module can be user with per-app VPN. When an SSO redirect to an on-premise IDP is present, the VPN can be triggered and in this way a VPN can be used to authenticate to your on-premise IDP. If certain traffic needs to go to Cloud sources for authentication, like Cloud MFA provider, you can create excluded domains and this traffic will not go through the VPN Tunnel.

New is also SCIM support for Federation between Azure Active Directory and Apple Business Manager and Apple School Manager. With SCIM account information and changes are kept in sync. From account creation to modification and deletion – are kept in sync.

An important tip was also provided and also to clear up some confusion around the Identity Providers that can be used with Managed Apple ID’s. As stated before Federation between Apple Business Manager and Azure Active Directory is possible for authentication for Managed Apple ID’s. The actual Identity Provider could be ADFS or another Identity service as long as Azure Active Directory is federated to those Identity Providers. So, through Azure Active Directory Apple Business Manager and Apple School Manager support a lot of Identity Providers.

There is a lot of attention for managing macOS devices this year. Apple made an effort to bring management features from iOS and iPadOS to macOS. Managed Mac app is an important example of this. But iOS and iPadOS also get some important improvements like non-removable Managed apps and iPad for Business.

We see that Apple is trying to solidify their complete solution and fully expands Apple Busines Manager and Apple School Manager capabilities for the enrollment processes and deploying apps through VPP with improvements in for example Custom apps.

This year’s WWDC is again packed with a lot of new features for enterprises. No big new Software ideas but a lot of improvements to existing ones. Like improvement the SSO extension introduced last year. We see the last couple of years an increase in focus for enterprise scenarios at Apple. This year is continuing this trend.