---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:04 AM @Cristina asked Hello! I don't have access to the device management itself but I develop enterprise apps and I would like to know if device management managers can force OS update to the managed devices of employees. Thanks! 6 replies Danielle D (Apple) 22 hours ago Hi Cristina, can you please clarify? Is your question if MDMs can force install an OS update? (edited) Cristina 22 hours ago Hi Danielle, yes, exactly, for example force install iOS 16 on all the compatible iPhones Danielle D (Apple) 22 hours ago The MDM can prompt the update to download and install on iOS, but depending on the state (such as passcode) it might need user interaction to install. Here is some information about software updates from the Platform Deployment Guide. Apple SupportApple Support Manage software updates for Apple devices You can control how software updates appear for supervised Apple devices enrolled in a mobile device management (MDM) solution. :gratitude-thank-you: 1 Cristina 22 hours ago Thank you very much!! :+1::skin-tone-2: 1 Oliver 22 hours ago Opposite direction: can we enforce via MDM that certain devices stick to/install an (old) iOS version? (edited) Danielle D (Apple) 22 hours ago The MDM can hide and update for 90 days, but enforcing an older update is not supported. ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:04 AM @Jordy asked Will Platform SSO be able to create/provision a user account based on the IdP information once the IdP integrates with the framework? Or will it just sync the password? 6 replies Jesse E (Apple) 22 hours ago Platform SSO will only sync the password. The user should be created via other means. :+1: 2 Jordy 22 hours ago Okay thanks! So I guess it can be used in conjunction with Enrollment Customization and prepopulate the full name and username when the MDM supports it? Jacob C (Apple) 22 hours ago Documentation for Platform SSO will be available in AppleSeed for IT this week. :heart: 4 Jordy 22 hours ago Awesome, I’ll check that out :slightly_smiling_face: Eric 22 hours ago Will vendors be able to communicate outside of the Platform SSO Extension to create accounts on the fly? Jesse E (Apple) 22 hours ago @Eric can you share more about your use-case / what you're trying to do? ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:07 AM @Jordy asked How's the behaviour for macOS Managed Software Updates during PowerNap or while asleep? Will it restart even when unsaved files are still open? :heavy_plus_sign: 3 2 replies Nadia H (Apple) 22 hours ago The only difference is macOS will now acknowledge the commands when sent while in power nap mode. All other existing software update rules will still apply. InstallForceRestart will be the only install action to force install while files are opened. :+1: 1 Jordy 22 hours ago Thank you! ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:14 AM @Frederick asked The Platform SSO overview mentioned that a user being disabled in the linked IdP does not prevent login. Can you describe what the behavior is for the user in this situation? 5 replies Jesse E (Apple) 22 hours ago Because the local account exists on the Mac already, the user will still be able to login to this local account even though the account has been disabled in the IdP. Jesse E (Apple) 22 hours ago The last password that synced remains. In a scenario where the user should no longer be able to login to the device, other methods should be used such as the device lock MDM command. :+1: 2 Frederick 22 hours ago Ok, got it - so the user doesn’t really “know” and there’s no warning about it? I’m thinking about accidental disable/mistakes as well as for terminations of employees here. Jesse E (Apple) 22 hours ago Think of this like a local password that just happens to get automatically updated/kept in sync. But it's still a local password and therefore still behaves exactly as any other local password would — since that's what it is. So in those cases you're talking about, you'll want to handle it separately. :+1: 2 :heavy_check_mark: 1 Frederick 22 hours ago Thanks Jesse, understood! white_check_mark eyes raised_hands ---------- ---------- Mike S (Apple) Yesterday at 11:19 AM Question for the group: What change are you most excited about this year in device management? :question: 1 7 replies Frederick 22 hours ago Platform SSO :100: Jordy 22 hours ago Definitely Platform SSO :star-struck:, although I hope IdP’s will be quicker to adopt the technology than when SSO Extensions were introduced :heavy_plus_sign: 3 Alex:flag-ua: 22 hours ago Declarative Device Management! :heart: 6 :heavy_plus_sign: 3 Eric 22 hours ago Platform SSO. I hope uptake will be quick. Blayn 22 hours ago Platform SSO for us - but DMDM is exciting - we would still be relying on our MDM vendor to implement - so I won’t be holding my breath there. Blayn 22 hours ago We were really hoping to learn of some new features or conveniences to come to Managed AppleIDs this year - it’s been a tough tough sell for our organization trying to get buy-in to transition to federating AppleIDs. We keep hearing complaints of the disadvantages with very little benefit, especially from the users POV Alex:flag-ua: 21 hours ago Very close second: Documentation UI enhancements and Github! :heavy_plus_sign: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:19 AM @ChakMing asked Hello! Our company just joined Apple Business Manager. Is there any easy way to manage the Macs and iPads? We tried the external MDM solutions but most of them require a subscription fee :open_mouth: 8 replies Graham M (Apple) 22 hours ago Apple Business Essentials is Apple’s new first-party MDM solution but it also has a subscription fee. You can get all the details on that here: https://www.apple.com/business/essentials/. There are free MDM options out there. Perhaps some folks in the channel here would have some suggestions for you! ChakMing 22 hours ago I see, but the Apple Business Essential is only for the US, right? :+1::skin-tone-2: 1 Graham M (Apple) 22 hours ago That is correct. ChakMing 22 hours ago Oh, I see. Because my company has multiple divisions all over the world. And currently, I noticed that the business manager is registered outside the US. Do you think I should ask my U.S. colleague to register another account for it? Graham M (Apple) 22 hours ago If you try to use Apple Business Essentials outside of the US you may run into issues with with Apps and Books purchasing. I would not recommend using it outside of the US at this time. ChakMing 22 hours ago I see. Hope that the Business Essentials will expand to more countries soon. :smile: Thanks, @Graham M (Apple) Eric 22 hours ago Mosyle Manager has a free option available. ChakMing 22 hours ago @Eric Sounds great! Is it easy to use and deploy? ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:29 AM @Jordy asked Although I probably know the answer, any news on Apple Business Essentials coming to Europe? 4 replies Adam S (Apple) 22 hours ago Nothing to announce, but we’re glad to hear you’re excited about Apple Business Essentials! Can you let us know what countries you’d be interested in seeing? :ok_hand: 1 Jordy 22 hours ago The Netherlands :flag-nl: :large_orange_circle: 1 Jordy 22 hours ago As an managed service provider here, we have a lots of SMB customers who could benefit from it Adam S (Apple) 22 hours ago Thanks Jordy, as always we appreciate the feedback! :+1: 1 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:38 AM @Stephen asked Hey! A question about the "Requirement for internet access in Setup Assistant"; how does the device retain knowledge of it's organisation registration after a DFU restore? Where does this "setting" persist? 10 replies Mike S (Apple) 22 hours ago The registration is stored on Apple's servers and comes back when the Mac goes through the activation process. Note, however, that this feature is not yet enabled in macOS Ventura. Please keep an eye on the release notes to find out in which seed it goes live. Eric 22 hours ago Ability to skip Wi-Fi selection after first operating system reset is a big pain point for us on Monterey. Looking forward to this! (edited) Stephen 22 hours ago I think the thing I'm trying to understand is how the Mac retains the knowledge that it requires an internet connection at the setup assistant, even after a DFU restore. Stephen 22 hours ago I'm assuming that a setting is stored somewhere on the Mac that isn't wiped by DFU? Graham M (Apple) 22 hours ago It’s using the Activation Server. David 22 hours ago But if the machine is not connected to the internet, how does it know it needs to connect to the internet to proceed? David 22 hours ago It can't access an Activation Sever if it is offline. Stephen 22 hours ago Thank you @David that's my question :laughing: Stephen 22 hours ago There must be something that persists on the Mac, post-DFU restore, that forces the Mac to need an internet connection at the setup assistant Graham M (Apple) 21 hours ago When Configurator restores the device it must to talk with the activation server to collect the UCERT for the device and the setting will be included in that. :+1: 3 ---------- ---------- Mike S (Apple) Yesterday at 11:42 AM Question for the group: What payloads and restrictions are most important to you and your organization? 3 replies Eric 22 hours ago Concerning the new OS, ability to allowlist Launch Daemons, Launch Agents, and Helpers. Ability to prevent users from enabling or disabling these for security software. (edited) :heavy_plus_sign: 9 Frederick 22 hours ago On the current shipping OS, we use the iCloud restrictions for DLP reasons, and the software update delays to give us some time for testing before the whole fleet gets updated. Christopher 22 hours ago In lab environments the the most important would be AD binding, and wired 802.1x configurations. Having AD bind be a predicate available to trigger other changes. Also if the Ad payload could be expanded to support adding computer objects to specific AD security groups. Everything in our environment is tied to AD — and I just have to work in it. Payloads mentioned above by Eric. Payload for Safari extension Management. On the softer side, again for labs, I’d love to see better Dock management via payloads. i.e. Dock not having to relaunch to add items, ability to have a list of apps that only add to the Dock if the app path exists, maybe even the option of a call out that appears over a newly added icon “Photoshop is now available.” ---------- ---------- Mike S (Apple) Yesterday at 11:43 AM Question for the group: Did you know that applications can now be installed on a supervised iOS device while it’s in the Awaiting Configuration state in Setup Assistant? What kinds of apps do you plan to deploy in that state? Why is it important to install them then, before the user reaches the home screen? 4 replies Frederick 22 hours ago I was just learning that this morning. I think the biggest use for us will be signage/kiosk iPads that we use - getting the app loaded before proceeding means the transition from setup assistant to ASAM will be much smoother :heavy_plus_sign: 3 Alex:flag-ua: 22 hours ago This is a great change btw, thank you to the team! Battle scars talking Blayn 22 hours ago very excited for this opening up some possibilities - just unsure of how it will be taken advantage of, will it require implementation from the MDM vendor? Sergio 22 hours ago Aside from the basic things, like Company Portal, most of the apps we install require user affinity because different job roles require different apps, so I'm not sure we'll be installing many during AwaitConfiguration initially, but it's a very nice option to have. ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:47 AM @Eric asked This is probably something you can't talk about, but will Business Essentials be bringing any MCX derived features? Custom settings for macOS apps in particular. 3 replies Adam S (Apple) 22 hours ago Hey Eric, thanks for the question. Are you looking to define custom settings for apps from the Mac App Store or just macOS apps in general? Eric 22 hours ago macOS apps in general. In particular Google Chrome and Microsoft apps that use them heavily for policies. :100: 1 Adam S (Apple) 22 hours ago Thanks for the clarification. Nothing to announce today, but definitely file feedback if this is something you’d like to see in the future. :+1: 1 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:47 AM @Alex asked Rapid Security Response: what mechanisms are available to vendors to surface the state of each device versus known CVEs since the OS version will not be the truth? Will build version increment? 4 replies Mike S (Apple) 22 hours ago Yes, the build version will be different! :gratitude-thank-you: 3 :gratitude-merci: 2 :+1: 1 Alex:flag-ua: 22 hours ago Awesome Mike! And it would decrement/change back if the user removes a response? (edited) :+1::skin-tone-2: 1 Mike S (Apple) 22 hours ago Yes! Alex:flag-ua: 21 hours ago Woot! Any chance one of those “rapids” happens during the beta cycle so we see it in action? ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:51 AM @Alex asked Rapid Security Response sounds awesome. Is there an ability to set “Install System data and Files” to “On” on iOS with MDM, so that our mutual customers can ensure their user’s devices get the latest security updates? We see macOS is already covered with CriticalUpdateInstall. 1 reply Danielle D (Apple) 22 hours ago Not at this time, but this is great feedback. :+1: 3 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:52 AM @Sergio asked We're using Jamf Connect in our environment to sync the IDP password (AzureAD) to the local Mac password, but per company initiatives toward a Zero Trust environment, we're looking at separating the local Mac password from the IDP password, similar to Windows Hello for Business. It sounds like Platform SSO, in this iteration, will only do password synching. Would it be possible to make the password synching optional? 4 replies Jesse E (Apple) 22 hours ago You do not need to use password auth / password syncing. You can configure Platform SSO to use a Secure Enclave-backed key for user authentication to the IdP, instead of password-based auth. The IdP must have implemented support for this. But assuming it has, then this will give you (and the user) the desired experience. :heart: 3 Sergio 22 hours ago Cool. Is there documentation on that available yet? Eric 22 hours ago @Sergio Developer docs are here: https://developer.apple.com/documentation/authenticationservices/asauthorizationproviderextensionregistrationhandler Eric 22 hours ago Also be sure to check out AppleSeed for IT. It was updated with WWDC information including Platform SSO. :+1: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:53 AM @John asked The ACME payload docs at the top say iOS/iPadOS/tvOS but the table shows Shared iPad. Can you clarify? 4 replies Graham M (Apple) 22 hours ago This is a great call out! I’ll follow up with our documentation writer to get this correct. In the meantime you can check out our new GitHub docs! https://github.com/apple/device-management/blob/seed_iOS-16_macOS-13/mdm/profiles/com.apple.security.acme.yaml GitHubGitHub device-management/com.apple.security.acme.yaml at seed_iOS-16_macOS-13 · apple/device-management Device management schema data for MDM. Contribute to apple/device-management development by creating an account on GitHub. (55 kB) https://github.com/apple/device-management/blob/seed_iOS-16_macOS-13/mdm/profiles/com.apple.security.acme.yaml John 22 hours ago Thanks @Graham M (Apple). We are LOVING the github! :pray: 1 :heart: 2 Blayn 22 hours ago Fully agree with @John - a welcome venue to get this documentation. Great idea! Graham M (Apple) 22 hours ago @John I’m so glad!! It’s something we were so excited to get out for everyone! ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:58 AM @Eric asked I could probably figure this out experimentally, but could MCX based custom settings be edited at least temporarily by an admin user modifying plists in "/Library/Managed Preferences" folder? 4 replies Graham M (Apple) 22 hours ago They will persist temporarily but MCX will remove them at an arbitrary time in the future therefore we would not recommend this flow. :+1: 1 Eric 22 hours ago I'm more worried about a user temporarily bypassing a third party software policy temporarily. Graham M (Apple) 21 hours ago Great point, please file feedback on this! :+1: 1 Eric 21 hours ago I'll file it. Thanks! ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 11:59 AM @John asked Enhancement Request of sorts - while not the most performant, could there be a way to query the device for all information rather than specifying each data point you want? 3 replies Graham M (Apple) 22 hours ago Our goal is to have MDM servers asking for the data they need not just all the data all the time. If there are specific use cases where you believe this would be helpful feel free to file feedback for it. John 21 hours ago That's fair, thanks @Graham M (Apple) We did file feedback FB9873561, but really we're just noting that on macOS, if you send no Query key in DeviceInformation, macOS automatically sends back everything. This is undocumented, but we were curious if it would ever be officially supported. Good to know your stance on this one! Graham M (Apple) 21 hours ago Definitely something that is not officially supported. ---------- ---------- Device Management - Ask a QuestionWORKFLOW Yesterday at 12:00 PM @Christopher asked Are there improvements to the deferral install notification for the user. Currently it just disappears on click instead of opening system preferences, it also requires the user to expand it to see all the available install options. 2 replies Danielle D (Apple) 21 hours ago Not at this time, but please file feedback if you see this behavior with System Settings. Christopher 21 hours ago Already have! :slightly_smiling_face: FB9898920 ----------