Managed Apple IDs: OpenID Connect support added to Apple Business Manager and Apple School Manager - Allows ABM and ASM federation with any identity provider which supports OpenID Connect Note: For more information, see the "Do more with Managed Apple IDs" (June 8, 2023) session: https://developer.apple.com/wwdc23/10254 Managed Apple IDs now support using iCloud Keychain - Allows companies, schools or institutions to use iCloud Keychain with Managed Apple IDs, which enables use of passkeys. Note: For more information, see the "Deploy passkeys at work" (June 7, 2023) session: https://developer.apple.com/wwdc23/10263 Declarative device management (DDM) Supports new deployment options for: - Applications - Certificates On macOS: - Service configuration files Note: For more information, see the "Advances in declarative device management" (June 7, 2023) session: https://developer.apple.com/wwdc23/10041 MDM management being extended to watchOS Note: For more information, see the "Meet device management for Apple Watch" (June 9, 2023) session: https://developer.apple.com/wwdc23/10039 Also note: Video calls this session "Discover watchOS management", which is incorrect. Device management on macOS: - Automated Device Enrollment now includes the following options: * FileVault can be enabled during the Setup Assistant stage of ADE setup - Admins can choose whether to show the FileVault recovery key to the enduser - Admins can choose to escrow the FileVault recovery key to the MDM server * MDM can require the device to be on a specific minimum operating system version in order to enroll - MDM will send a query to the device to find out if the Mac endpoint is running at least the specified minimum OS version. - If not running the necessary OS version. The user will be guided through a process which will update their Mac to the necessary OS version, with restarts being performed as required - Once the necessary OS version is installed, the Mac will return to Setup Assistant to complete the enrollment and setup process. * Enforced Automated Device Enrollment As of macOS Ventura and earlier, if a Mac is not connected to a network during the initial setup, the MDM enrollment is skipped. A subsequent notification appears requesting that the Mac be enrolled. As of macOS Sonoma, this behavior has changed. Setup Assistant will launch into a full screen experience and will wait for a network connection. Once a network connection is available at the Remote Management window, the user will be given two choices: * Continue * Not Now If Continue is chosen, setup will continue normally If Not Now is chosen, the user has eight hours before they will be required to enroll into MDM - The user will be able to go into System Settings and enroll from there during this eight hour period. Platform SSO On macOS Sonoma, System Settings will show the status of Platform SSO. - There will be a Repair button next to the Platform SSO status - Allows you to repair your registration or reauthenticate to the Identity Provider you're using with Platform SSO. Platform SSO on macOS Sonoma supports on-demand creation of a local account. - New user authenticates at the login window using credentials from the company, school or institution's Identity Provider. - This capability is enabled by using a shared device key that allows the device to maintain a trusted connection to the Identity Provider, independent of a specific user account. Requirements for enabling on-demand local user creation: * Mac must be able to connect to the Identity Provider * Mac needs to be at the login window with FileVault unlocked * MDM server managing the Mac must support Bootstrap Tokens If all requirements are met, users can use either of the following to create an account: * Username and password from their Identity Provider * SmartCard Once authenticated, groups from the Identity Provider can be used to assign user permissions on the Mac. The permissions are managed by a configuration profile. The relevant MDM profile can define the access level used: * Standard user permissions * Administrator privileges * Alternative permissions defined by the group membership The profile can also define how groups from the Identity Provider map to local groups on the Mac. Network authorization from the Identity Provider can allow members of Identity Provider groups who don't have a local account to be used to authenticate at authorization prompts. Exceptions to the above: * Non-local users cannot be used to authenticate at authorization prompts where the authorization prompt is specifically asking for the logged-in user. * Non-local users cannot be used to authenticate at authorization prompts where the authorization prompt were the authorization prompt requires a user with Secure Token or volume ownership rights. Profile management can also be used to define AuthorizationGroups: * AuthorizationGroups are groups used to grant access to rights which are otherwise defined as restricted by the authorization database. - Example: Non-admin user is granted ability to modify printer configurations via the user's membership in the relevant AuthorizationGroups settings in the profile managing these groups. AuthorizationGroups defined in a profile will cause: - Matching local groups to be created if they don't exist - Make those groups available to the local directory service on the Mac Password management: Password policies can now be defined using regular expressions, in addition to the existing password policy options. Password compliance notifications have also been improved in macOS Sonoma: - If an account password does not meet current password compliance standards, the user will be notified via a Notification window. - If a stricter password policy is installed, the user will be notified via a Notification window if their password does not meet the new compliance standards. Note: Notifications will only appear if the password in question does not meet compliance standards. - Password will be checked for compliance when logging in at the login window and the user will be given an option via Notification window to change their password now or later. Note: This notification is not at that login window, only after login has completed. - If the "Later" option is chosen, the same notification will be shown at each login until the password meets the defined compliance standards. Restrictions: New restrictions in macOS Sonoma: * Block modifying Apple ID Logins and Internet Accounts * Block adding local user accounts * Block modifying device name * Block modifying individual sharing services * Block modifying Siri settings * Block modifying Startup Disk settings * Prevent configuration of Time Machine backups List is not exhaustive, more restrictions are available, Managed Device Attestation Security feature introduced in iOS and iPadOS 16 which uses the attestation capabilities of the Secure Enclave. Now available on macOS Sonoma, which can be used on Macs with Secure Enclave (T2 Intel Macs and Apple Silicon Macs) Uses hardware-bound keys with services like those below: * VPN * 802.1x * Kerberos * Microsoft Exchange * MDM For more information on Managed Device attestation, please see the following session from WWDC 2022: Discover Managed Device Attestation: https://developer.apple.com/wwdc22/10143 New properties being added to the attestation certificate: * System Integrity Protection status (Apple Silicon Macs only) * Secure boot status (Apple Silicon Macs only) * Whether third-party kernel extensions are allowed (Apple Silicon Macs only) New properties being added for all platforms that support Managed Device Attestation * Low Level Bootloader version * OS version * Software Update Device ID Additional property being added: Secure Enclave Enrollment ID - Associates the attestation with an MDM enrollment Managed applications on macOS On macOS Big Sur through Ventura: MDM InstallApplication command could install a single application into /Applications On macOS Sonoma: MDM InstallApplication command can install multiple applications into /Applications Any application the package installs into /Applications will be considered managed, and can be removed individually via MDM. Note: Content installed outside of /Applications will not be tracked. Apple recommends installing only self-contained applications. iOS and iPadOS: Improvements to device wiping (Return to Service): MDM sends Erase command to device. Device does the following: 1. Device resets 2. Securely erases all data 3. Connects to WiFi 4. Enrolls with MDM 5. Previously selected language and region settings are applied to the device 6. Displays home screen Device is now ready for re-use. Improvements to shared iPad logins: Easy Student Sign-In Please see session video from 17:24 through 19:05 for depiction of the workflow: Requirements: * Teacher and student need to be part of the same Apple School Manager location * Teacher and student devices need to be in physical proximity to each other. * If student is using a personally-owned device, they will be prompted to authorize the teacher to enable this functionality. Cellular connectivity: * Beginning in 2022, iPad devices have supported private LTE and non-standalone 5G networks with the ability to install eSIMs through device management. * Same capability is now coming to 5G capable iPhone models * Both iPads and 5G capable iPhones will now be able to connect to private standalone 5G networks. New option to prefer private 5G network over available WiFi networks. Introducing Relays: * Relays are secure proxies that are natively supported on iOS, iPadOS, macOS, and tvOS * Relays can be configured with: - MDM profile - Network extension using the NERelayManager API For more information, please see the "Ready, set, relay: Protect app traffic with network relays" session: https://developer.apple.com/wwdc23/10002 Apple Configurator for iPhone Adding Shortcut actions to workflows: - Build custom shortcuts for Apple Configurator's actions - Apple is adding the following shortcuts for iPhone and iPad devices: * Update devices * Restore devices * Erase devices * Prepare devices