In iOS 15 and macOS Monterey Changes to user enrollment: * From Apple's perspective, user enrollment is designed for Bring Your Own Device (BYOD) deployments. - User and not the organization owns the device in question. - This MDM enrollment is designed to protect personal data while securing corporate data on the device. Improvements to user enrollment in iOS 15 and macOS Monterey: - Check out "Discover account-driven user enrollment" session video. New Apple Configurator for iPhone - iOS app available in App Store. - Includes new feature for macOS automated device enrollment. - Check out "Manage devices with Apple Configurator" session video. Improvements to MDM protocol - Changes aimed at making MDM protocol more robust and performant. - Check out "Meet declarative device management" session video. Improvements to Apple OS software updates for iOS, iPadOS and macOS - Check out "Manage software updates in your organization" session video. - Discussion of testing, deploying and enforcing OS updates iOS and iPad OS device management Changes to: - How users see managed accounts - How users see the profiles installed on their device - How VPN is configured in Settings VPN and Device Management have been combined into one place in Settings - Called "VPN & Device Management" in Settings App installation As of iOS 14: - Supervised devices - apps install without prompting the user - Unsupervised devices - apps prompt for permission before installing, which allows for the possibility of the user declining to install the app. As of iOS 15: - Introducing Required App - Allows one app to be specified as being required on unsupervised devices - Consent from the user to install without prompt is gathered during MDM enrollment - Only the one Required app will install without additional user approval To enable the Required app: - Specify the iTunes Store ID in the MDM profile - Ensure the Required app has an available device or user license - InstallApplication MDM command required - Add managed app attribute to make sure the app can't be uninstalled by the the user Managed open-in - Secures communication between apps - Managed open-in allows the iOS admin to control whether data is allowed to enter or leave the managed area - Controls independently whether data can be sent from an unmanaged app to a managed app, or from a managed app to an unmanaged app Changes in iOS 15: - Managed Pasteboard - New restriction called requireManagedPasteboard controls whether the copy/paste functions are affected by managed open-in - Does not require system or third-party apps to make changes in order to support managed pasteboard - System apps which honor the restriction: * Calendar * Notes * Mail * Files All other apps require no additional changes to adopt this feature. - Apps installed via MDM will automatically be treated as managed - Apps installed by the user will be automatically treated as unmanaged Paste function will always be visible in the app, but if pasting into an app isn't allowed a "Paste Not Allowed" notification will appear. The organization name will appear as part of the notification, but that can be modified using the OrganizationInfo Settings MDM command. Shared iPad for Business - Allowed company employees to have their own separate user account with their own data on a shared device. - On iOS 14 and earlier, shared iPad has required the use of a Managed Apple ID for each employee sharing the device. - On iOS 15, new Temporary Session acts as a guest account on shared iPads. When logging out from Temporary Session, all data will be deleted from the device -This includes Safari browsing history, modified user settings and files added to the device by the Temporary Session user In iOS 14.5, Apple added three new keys to the SharedDeviceConfigurationSettings MDM command: - TemporarySessionOnly: Limits the ability to log in with a Managed Apple ID - TemporarySessionTimeout: Automatically log the user out after a set amount of time - UserSessionTimeout: Automatically log the user out after a set amount of time Ensure sufficient minimum time Timer can be reset by pressing the power button or the Home button. Apple TV changes - TV Remote MDM payload - Connects specific Apple TVs with the Remote widget in Control Center on iOS and iPadOS - In tvOS 15, new security enhancement - Apple TV will no longer broadcast MAC addresses over Bonjour - This change means that it is no longer possible to prevent PIN prompts from appearing on the Apple TV's television Addition to TV Remote MDM payload - To help prevent unwanted pairing attempts, new TVDevice key has been added - Use TVDeviceName key and TVDeviceID key to filter Apple TV device names in the Remote widget in Control Center on iOS and iPadOS - This will prevent unwanted pairing attempts by managed iOS and iPadOS devices Additional payloads were shown as a list, please see 7:07 of the "What's new in managing Apple Devices" session video: https://developer.apple.com/wwdc21/10130 macOS Monterey: New device management options: System Extensions - In macOS 11.3.x, installing the System Extension MDM payload changes the state of a system extension - If a system extension is pending user approval, installing the System Extension MDM payload activates the system extension - Removing the System Extension MDM payload deactivates the system extension - In macOS Monterey, System Extension MDM payload now includes a RemovableSystemExtensions key - This will an app to deactivate its own system extension - Example: When the app uninstalls itself, it can deactivate its own system extension as part of the uninstall process - No admin password will be required to remove the system extension; useful for deployments where the Mac does not have an admin user. Kernel Extensions In macOS Big Sur, it is required to reboot a Mac to modify kernel extensions. In macOS Monterey, additional features have been added to make managing kernel extensions easier. - Option added to the RestartDevice MDM command - RebuildKernelCache - Tells the Mac to rebuild its kernel extension cache on reboot - Required anytime a kernel extension is added or removed - Use the option KextPaths key to specify kernel extensions that haven't been discovered by the OS - This allows MDM to install an app and load an accompanying kernel extension without requiring to launch the app before rebooting - New NotifyUser key will allow MDM to display a reboot notification to the user - When clicked, the user can trigger a graceful restart of the Mac - The NotifyUser key can be used outside of the context of kernel extensions, but may be most useful in the context of kernel extensions since a reboot is still required on macOS Monterey. Kernel Extension MDM payload - AllowNonAdminUserApprovals key: allows a standard user to complete the installation of kernel extensions - User must perform the required restart from either System Preferences or via the NotifyUser-generated notification in order to trigger the kernel cache rebuild as part of the restart process SecurityInfo MDM command - Depending on the hardware, you may need a bootstrap token in order to complete this step. - You can learn this from the SecurityInfo MDM query by checking for the BootstrapTokenRequiredForKernelExtensionApproval key macOS Apps - On Apple Silicon Macs, iOS and iPadOS apps can be run - As part of macOS Big Sur, a new DeviceInformation query key was added - The SupportsiOSAppInstalls key reports if a Mac supports running iOS and iPadOS apps - This key reports a value of TRUE on macOS 11.3 on Apple Silicon Macs - If installing iOS and iPadOS apps on Apple Silicon Macs, a new key needs to be added to the InstallApplication command to indicate if its an iOS or iPadOS app - For in-house enterprise apps, URL in the manifest should point to an iOS app's .ipa file instead of to an installer package file (.pkg) - iOS-style provisioning profile support is now also available for Apple Silicon Macs - This allows management of in-house enterprise apps and provisioning profiles Apple Silicon-exclusive management options - DeviceLock command is being enhanced for Apple Silicon Macs - Remote locking now supports using a six digit PIN code, as well as sending a lock screen message and a phone number to the device for display on the lock screen. - When a remote lock command is received, the Mac will reboot and display the lock screen with PIN code blanks and the message / phone number information - With the PIN code is entered, the Apple Silicon Mac will reboot to the login window and allow normal login to occur New option to set a recovery password: - New SetRecoveryLock and VerifyRecoveryLock MDM commands allows the MDM admin to set and verify a password which needs to be entered before the Mac will boot to macOS Recovery. - Password can only be set or removed by MDM - If a user unenrolled from MDM, the password requirement for macOS Recovery will also be removed - MDM server needs to know the existing password to set a new password - The DeviceLock PIN code and/or the Recovery Password will be removed when the Mac is erased - It is recommended that these features be used in conjunction with Activation Lock to provide the best security for your fleet Erase All Content and Settings for macOS Monterey New feature of macOS Monterey for T2 and Apple Silicon Macs Functionality will be available via MDM also Sending the EraseDevice MDM command will now erase all data on the Mac and reboot the Mac back to Setup Assistant - Supported only on Apple Silicon Macs and Macs equipped with the T2 security chip - If the Mac has multiple system partitions, the Mac will reboot back to Setup Assistant on the currently-chosen system volume. All other volumes will be erased. - On Apple Silicon Macs, the EraseDevice MDM command will also reset any security settings which were set in macOS Recovery - To prevent unwanted use of the Erase All Content and Settings option, there is a new allowEraseContentAndSettings restriction Additional payloads were shown as a list, please see 13:28 of the "What's new in managing Apple Devices" session video: https://developer.apple.com/wwdc21/10130