Answered questions from Enterprise lab sessions and Slack Q&amp;A:

1. Is device-based MDM user-initiated enrollment going away? For context, I can have my users go to a URL like this to enroll in my Jamf Pro server:

https://jamf.pro.server.here/enroll

We have it configured to ask for the Azure AD credentials for authentication. Once provided, a profile downloads to their Mac and the user can then use that profile to enroll their Mac into our Jamf Pro MDM server.

Answer: No, no planned changes as of this time.

2. When using Declarative Device Management Software Update for iOS, if the update was already downloaded over WiFi, but the device is on cellular when the deadline comes, can the update be installed then?

Answer: It should work, because the download happened over WiFi. The limitation is going to be the software update verification, where it needs to be able to send information to the relevant servers back at Apple to verify the software update is valid. This verification should be a small amount of data, so it should be OK.

3. How often and when are Declarative Device Management declaratives evaluated? For context, non-DDM profiles are only evaluated at install time.

Answer: Changes to the configuration state should be detected and reported as soon as they happen.

Note: Important context to this answer is that the changes will be detected and reported. This does not mean remediation will also happen.

4. What is the suggestion for dealing with lost or stolen Mac devices, which do not have cellular Internet?

For context, with Device Lock, Device Wipe, and Activation Lock, a Mac must connect to the Internet to accept — and, importantly acknowledge — the command.
MDMs typically require a license to send these MDM commands. However, keeping lost/stolen device records around in order to send the commands and report on acknowledged commands can be cost-prohibitive.

Answer: At the moment you can set SetRecoveryLock, and make sure the device is in Apple Business Manager or Apple School Manager. Please send feedback on your suggestions.

5. Can we do automated device enrollment over VPN?

Answer: MDM can&#39;t deliver a VPN config before Automated Device Enrollment. Please file an enhancement request to deliver that config and necessary authentication during Device Enrollment.

6. Can we deploy a executable binary using the managed configuration files feature? For context, this would be used to deploy a tamper proof management tool on our devices.

Answer: Yes. You can deploy binaries with Managed Configuration Files feature. Only requirement is to zip the contents before deployment.

7. In ABM / ASM, is there a way to automatically assign a device to a specific MDM? At the moment, this appears limited to automatic assignment by platform (iOS, macOS, etc.)

Answer: That is not something that can be done today, but definitely file feedback if you haven&#39;t already!

8. Is there an account role in ABM / ASM which grants the ability to enroll devices using Apple Configurator and nothing else? For context, the folks doing this currently need to be assigned permissions which include the ability to remove devices from ABM / ASM. This is undesirable and the preference is that folks using Apple Configurator should only be allowed to add devices.

Answer: There isn&#39;t a way to do this today, but we&#39;ve heard similar requests and appreciate the feedback. If you haven&#39;t already submitted something, please do.

9. What happens with Declarative Device Management when a user-level setting is applied while the Mac is logged out?

Answer: When the managed user is logged out, the MDM user channel is not active as there is no user process running to communicate with the MDM server. Similarly, the declarative management user agent is not running. When the user logins in, the various agents will run and if a push from MDM were pending, the agents would quickly sync MDM and declarative state to the device.

10. For iOS/iPadOS will the &#34;Return to Service&#34; feature allow for automated migration from old to new MDM with reduced friction using the MDMProfileData in payload?

For context the EraseDeviceCommand.Command.ReturnToService (https://developer.apple.com/documentation/devicemanagement/erasedevicecommand/command/returntoservice/) allows you to add info for a WiFi network and a new management profile. That new management profile does not need to be the same MDM that the device started with.

Answer: Return To Service is designed to quickly get a device back to a clean state using MDM and without requiring user intervention. If you have additional use cases you&#39;d like to see, please be sure to file feedback.

11. Does Apple&#39;s KerberosSSO extension on Sonoma have different capabilities on macOS Sonoma when a management profile for it is deployed as a device-level profile, than when a management profile is deployed as a user-level profile?

If so, what are the different capabilities when deploying as a device-level profile as opposed to deploying as a user-level profile?

For context, we have found on macOS Ventura that deploying Apple&#39;s KerberosSSO extension on Ventura as a user-level profile blocks the expected functionality of Microsoft&#39;s Enterprise SSO plug-in for Apple devices when Microsoft&#39;s Enterprise SSO plug-in is managed using a device-level profile. Deploying Apple&#39;s KerberosSSO extension as a device-level profile addresses the issue and both Apple&#39;s KerberosSSO extension and Microsoft&#39;s Enterprise SSO plug-in work as expected when both are managed using device-level profiles.

Answer: There are no change to Kerberos SSO this year. The set of User level profiles override the set of profiles on the device level. Device level profiles should be used unless there are user specific differences. If there is a specific scenario that needs both user and device settings, we would appreciate your feedback with more details about the setup and steps to re-create.

12. For Platform SSO group feature - is there a limit of how many groups will work? If there is a known limit, is there a known number when failures will occur?
For context, large enterprises can have individual users in hundreds of directory service groups.

Answer: There is an overall limit of 100.  However, the expected number is in the 10-12 range if it is being used correctly.  The groups should be limited to the ones needed for the Mac itself, not the entire directory.  With modern authentication, each client requests the groups it needs for itself.  Other client apps should request the groups they need separately.

13. Is there a tool available for creating profiles for DDM? For context, I would like to have the following options available:

A. Creating a DDM profile which does not include a legacy MDM profile.
B. Creating a DDM profile which does include a legacy MDM profile.

If there is not a tool available, is there documentation on how to create DDM profiles for tasks A and B listed above?

Answer: To include a Declaration inside a Configuration Profile there is no tool available from Apple today. To construct it you would just take each component of the declaration and base64 encode it. We will have an example profile posted on developer.apple.com during the beta period. There is no difference between Configuration types for creating the payload.

14. As part of the &#34;Do more with managed Apple IDs&#34; session, this was said:

&#34;Devices enrolled through account-driven Device Enrollment get most of the management capabilities of a profile-based Device Enrollment...&#34;

What management capabilities would not be available when doing device enrollment using a Managed Apple ID?

Answer: As per the What&#39;s New For Enterprise and Education PDF on AppleSeed for IT, the key differences are:
• Apps installed before enrollment can&#39;t be converted to become Managed Apps.
• Managed Apps are always removed during unenrollment.
• Restoring a backup, doesn&#39;t restore MDM management.
• Users using personal Apple IDs can&#39;t accept an invitation for managed app distribution.
Also the iTunesStoreAccountIsActive device information query doesn&#39;t work.

For more information, please reference the What&#39;s New For Enterprise and Education PDF. It should also be called out in the Open Source YAML.

15. Can DDM be configured to use a relay proxy to talk to the DDM management server?

For context, the idea is Relays are the new way mentioned in the &#34;What&#39;s New in managing Apple Devices&#34; session to provide secure access to enterprise network resources, where Relays are secure proxies. Can an endpoint with DDM management be configured to talk to a Relay, which in turn will send the relevant traffic to a DDM server which otherwise is not externally exposed to the outside Internet?

The use case here is that there are shops with security requirements which currently block having internal services, including MDM services, from being exposed to the outside Internet. Being able to configure a Relay to provide secure access would (hopefully) address the problem of managing endpoints once they have left the internal network.

Answer: It should be possible to send a com.apple.relay.managed profile once a device has enrolled with MDM, which would then direct MDM traffic to the relay.