What's new in Managing Apple Devices Additional recommended sessions to watch: WWDC 2022 - Adopt declarative device management WWDC 2022 - Explore Apple Business Essentials WWDC 2022 - Discover Managed Device Attestation Topics in this session: * Apple Configurator * Identity technology across platforms * Protocol modifications to macOS Ventura, iOS 16 and iPadOS 16 * Changes to how Apple is providing documentation Apple Configurator for iPhone Enables addition of Macs purchased outside of normal sales channels to Apple Business Manager (ABM) and Apple School Manager (ASM). As of iPadOS and iOS 16, Apple Configurator for iPhone can add Macs, iPhones and iPad devices to ABM and ASM. Differences for scanning with Apple Configurator for iPhone: * In Setup Assistant for iOS and iPadOS, the WiFi screen in Setup Assistant is scanned * In Setup Assistant for macOS, the Country or Region screen in Setup Assistant is scanned Any device that requires interactive activation, like Activation Lock or mobile carrier activation, must be handled manually before Apple Configurator for iPhone can add them to ABM or ASM. Identity management Goal for identity - users sign in once and from then on use that signed-in identity consistently across the OS. In ABM, Apple now supports Google Workspace in addition to Microsoft Azure AD as an identity provider for federated authentication. Sign In with Apple can now be used with Managed Apple IDs for both ABM and ASM. In apps that support Sign In with Apple, the signed-in Managed Apple ID identity will automatically work to authenticate with those apps. OAuth support: * OAuth2 has been added as an authentication mechanism * This allows support of a variety of identity providers. * Improves security via support for short-lived tokens and automatic refresh Enrollment Single Sign On (Enrollment SSO) * Enables personally-owned devices to complete an MDM enrollment faster. * Builds upon extensible SSO (introduced in iOS 13) and Account Driven User Enrollment (introduced in iOS 15). Enrollment SSO process: * App downloaded during enrollment * App contains extension * Native UI for app authentication experience It's an app-based model, so the app can support whichever authentication workflow is required. Multi-step stack: First: SSO extension app Second: MDM vendor federates their MDM protocol client authentication with an identity provider (Azure AD or Google Workspace, for example) Third: Administrators set up Managed Apple IDs using ASM or ABM Fourth: MDM server is configured to return a URL as part of the JSON document included with the authentication response headers. Details on this process run from 8:55 through 11:15 of the session video. Single Sign On Extensions: SSO extensions were first introduced in 2019 as part of iOS 13. Platform Single Sign On (Plaform SSO) being introduced for macOS Ventura Sign in once at the login window and then not have to authenticate again. First login authenticates with a local account password. After that, their identity provider password can be used for authentication. * Initial login - local account password * After that, identity provider password Supports use of a password or a key stored in Secure Enclave for authentication. Regardless of authentication mechanism, SSO tokens are: 1. Retrieved from the identity provider 2. Stored in the login keychain 3. Made available to the SSO extension when needed. Kerberos Ticket Granting Tickets (TGTs) can also be downloaded to a credential cache and (optionally) shared with the Kerberos extension. If the password on the identity provider changes, the changed password is validated as part of the next authentication unlock. Platform SSO is an integrated SSO experience which is built using OAuth and OpenID. It does not use WebViews for authentication. Platform SSO - Apple's replacement for AD binding and mobile accounts Platform SSO does not directly use directory services or check with the identity provider for each unlock attempt, like has been the case with AD binding. Instead the identity provider is only called when the user is trying to use a new password to unlock, or when retrieving SSO tokens from the identity provider. Platform SSO also does not prevent logging into the Mac based on the response the Mac gets from the identity provider. If disabling access is needed, use MDM or alternative strategies to disable login access. Details on this process run from 13:57 through 14:11 of the session video. Additional details are available in the Apple Platform Deployment Guide. Deploying Managed Software Updates for macOS Ventura: * Software Update commands are now acknowledged in Power Nap mode - Previously, devices in Power Nap would return a NotNow status Devices in PowerNap mode will respond to the following commands: * ScheduleOSUpdate * OSUpdateStatus * AvailableOSUpdate ScheduleOSUpdate command now has a new Priority key. Key values are High and Low and set the priority for downloading and preparing requested updates. High - Mimics a user-initiated software update request in System Preferences Note: Only supported for minor OS updates (like going from 13.0 to 13.1.) It does not support major OS version upgrades (like going from macOS Monterey to macOS Ventura) Enforce Software Updates New keys for the OSUpdateStatus commands: * MaxDeferrals * DeferralsRemaining * NextScheduledInstall * PastNotifications Details on this process run from 16:00 through 16:57 of the session video. Rapid Security Response (RSR): Part of macOS Ventura, iOS 16 and iPadOS 16 New mechanism to ship critical security fixes to users more rapidly. Security updates delivered this way do not update firmware Users can also remove the RSR update if necessary. Two restriction keys are being introduced to manage RSR updates: * allowRapidSecurityResponseInstallation - Allow or disable the new RSR mechanism * allowRapidSecurityResponseRemoval - Allow or disable the users' ability to remove new RSR updates Enrollment changes: For Automated Device Enrollment, there will now be a network requirement to go through Setup Assistant: - Applies to Intel Macs with T2 security chips and Apple Silicon Macs - Enforced after erase or restore Profiles command line tool on macOS now has rate limiting for the following functions: * show * renew * validate Each command allows a maximum of 10 requests per day from the server. If that number is exceeded, the results return cached information. The show command also has an optional flag to return only cached information (if desired). Manual certificate trust: In a future release of macOS Ventura, certificate payloads in a configuration profile that are manually installed by a user will no longer be automatically trusted for TLS. The user must use the Keychain Access app to trust the certificate manually. However, full certificate trust will be honored if: * A certificate is embedded in an MDM enrollment profile * A configuration profile with a certificate payload is installed using MDM In short, if you want to have certificates be trusted automatically, those certificates must be delivered by an MDM solution. Allowing external device accessories to connect to macOS * Supported on portable Macs running Apple Silicon By default, the user will be asked to allow new Thunderbolt or USB accessories even when the Mac is unlocked. * User consent to allow new accessories * Approved accessories can connect up to three days to a locked Mac - If an unapproved device is connected to a locked Mac, the Mac will need to be unlocked and consent given before the device will be able to connect. The allowUSBRestrictedMode restriction is being brought over to macOS from iOS and iPadOS to help manage this. * This will allow wired accessories to always connect without limitation. * Allows authorization for the user consent requirement to be bypassed Summary of all macOS-related changes are shown from 21:20 through 21:30 of the session video. iOS and iPadOS management Managed per-app networking: As of iOS and iPadOS 16, per-app networking is being expanded to include: * Per-App VPN * Per-App DNS Proxy * Per-App Web Content Filter These features will be available to all enrollment types. Existing apps which use DNS Proxy and Web Content Filter will work without modification. Multiple DNS proxies can be applied, but you can't have both per-app and system-wide DNS proxies. Web Content filter supports up to seven per-app and one system-wide filters. Managing eSIMs: eSIM installation and restriction: * Use allowESIMModification as needed * RefreshCellularPlans works while restricted * Set PreserveDataPlan to TRUE when using the EraseDevice MDM command. Details on this process run from 23:52 through 27:45 of the session video. Shared iPad You can set the default DNS domain for Managed Apple IDs: ShareDeviceConfiguration settings command: * ManagedAppleIDDefaultDomains - Enables the user to begin entering their Managed Apple ID information and their username with the specified domain (company.com, for example) will appear as a suggested address which can be tapped to enter into the login field Changes to remote authentication requirements: * In iOS 15, remote authentication is required every seven days. * In iOS 16, local verification will only be used for existing users on the device. - For admins who want to enforce remote authentication, the OnlineAuthenticationGracePeriod key can be set in the ShareDeviceConfiguration settings command. - Integer value specifying the number of days between remote authentications. - A value of zero will require all logins to be remotely authenticated. InstallApplication during Setup As of iOS 16 and iPadOS 16, it's now possible to install applications at setup for supervised devices - No user will likely be signed in during setup - Use device-based app licenses Supervision is required. This app install process will not work for unsupervised devices. Apple TV: When you erase an Apple TV running tvOS 16, either from Settings on the device or via MDM, the remote will remain paired. Summary of all iOS-, iPadOS- and tvOS-related changes are shown at 33:45 of the session video. Documentation: Apple is open-sourcing the code used to generate their documentation. It is available here on Apple's GitHub site: https://github.com/apple/device-management For more details on this, please see 33:51 through 37:00 of the session video.