What's New in Managing Apple Devices
Stating with managing and deploying macOS Big Sur
Automated Device Enrollment
Enrollment customization allows the use of various IdPs for authentication:
Azure Active Directory
Okta
Ping
More IdPs will work, but they aren't specified.
Information from the authentication pane can be used to populate the user's full name (aka Display Name) and the account shortname.
Apple also provides the ability to choose if user channel management should be used (?)
Setup Assistant can be customized to show or hide various windows.
ADE allows Macs running Big Sur to be automatically supervised during activation.
Zero-touch ADE setup has been available for Apple TVs for a while and the capability is now coming to the Mac as well.
All setup screens are skipped and the Mac goes directly to the OS's login window.
Auto Advance for Mac Requirements:
Power
Ethernet connection with DHCP
MDM solution with Apple Business Manager / Apple School Manager
If using encrypted disks (FileVault), you will be required to enter the password to unlock the drive's encryption.
Lights Out Management for Mac Pro
Remotely startup, shutdown and reboot Mac Pro
Requirements:
MDM server
MDM-enrolled Lights Out Management (LOM) Controller
macOS Big Sur
LOM Controller and Mac Pro bein controlled must be on the same subnet and IPv6 must be active.
For diagrams showing how LOM works, see session video.
User-approved MDM
On previous versions of macOS, User Approved MDM could not be supervised. This has changed on macOS Big Sur. Any Mac enrolled in a user-approved MDM will now be considered supervised.
Supervision for user-approved MDM:
Control Activation Lock bypass
Bootstrap tokens for FileVault
Query, list and delete local users
Remove or replace profiles
Install restrictions via MDM which are restricted to Supervised status.
Schedule software updates
Managed Software Update
Force software updates
Defer major OS updates for 90 days
Defer non-OS updates for 90 days
Removal of the software update catalog
Removal of the Ignore Flag
Force software updates = Force Macs to accept software updates and subsequently reboot.
Removal of the Ignore Flag is for major updates only.
Managed Mac apps
Apps can be removed by MDM command and on un-enrollment
iOS-style managed app configuration and feedback is now supported on macOS
MDM can convert an unmanaged app to a managed app
Managed App conversion is not supported for user enrolled devices.
Content Caching:
Support has been added for hosting Internet Recovery
Tethered caching via profile
Security improvements
More functionality for bootstrap tokens
Bootstrap token: Reserved encryption key provided by your MDM server. It allows your MDM to create admin accounts without needing to authenticate with an admin password.
Bootstrap tokens enable user accounts to get a Secure Token, which is necessary to enable an account for FileVault.
Bootstrap Tokens:
Enable users to get Secure Token
Supported on latest Macs with T2 chips
Authorize software updates and kernel extensions
Profiles
Automated installation of profiles can now only be performed by an MDM. The profiles command line tool will no longer be able to install profiles.
Downloaded Profiles
Brought over from iOS
Workflow designed to prevent mistaken or malicious installation
User must manually install profiles
User has the option of ignoring and not installing the profile
Downloaded profile remains visible and available in the Profiles preference pane for eight minutes.
When using command line tools to install profiles, the profile will be treated as if it were downloaded and you'll have to complete the install in the Profiles preference pane.
Profiles command line tool functions remain the same, with the exception of installing profiles.
networksetup command line tool limitations for standard users
Previously, both standard and admin users had control over the networksetup command line tool. Now, certain limitations have been put in place for standard users.
Limited for standard users:
Automated Device Enrollment use serial numbers to identify Macs. To address identifiable information in serial numbers, Apple is changing its serial number format.
Serial number format change:
Alphanumeric string of 10-characters
Current products will use existing format, while new products may use the new format.
macOS Management updates:
Configuration Profile Updates:
Accessibility Greyscale key deprecated
Associated Domains option to allow direct downloads
Configure Lights Out Management
Downloaded profiles require manual install via the Profiles preferences pane.
Single Sign-On extension supports the User channel
VPN App Mapping updates
VPN Added Maximum Transmission Unit
New Restrictions
Force Delayed App and Software Updates
New MDM Commands
Content Caching information
Bootstrap Token status
Force restart for Software Updates
Gather Managed App Feedback and App List
Install and Remove Managed Apps
LOM Setup Request and Device Request
Specify short name for local account
Supported LOM Device
iOS
Enable direct downloads for internal websites
WiFi MAC Address access control
Managed Open in Shortcuts
Encrypted DNS
SCEP key size supports 4096 bits
Locations for Apps and Books
MDM Certificate Pinning
Skip Setup Assistant panes
List eSIM Identifier
Shared iPad for Business
Notifications Privacy
Multiple printers over AirPrint
Allow App Clips restrictions
New Restrictions
Set Time Zone
Per Account VPN
Setup Assistant Configuration
Shared iPad Temporary Session
Scalable cfgutil
Apple Configurator now supports Apps and Books Locations, where Locations are different places where devices are kept.
Admins can assign different sets of apps and books for each Location.
cfgutil is now more scalable and supports more devices.
Setup Assistant skip keys have been brought over to iOS from macOS.
Skipping setup assistant panes during upgrades is now possible for all supervised mobile devices, not just those enrolled with ABM/ASM.
Stating with managing and deploying macOS Big Sur
Automated Device Enrollment
Enrollment customization allows the use of various IdPs for authentication:
Azure Active Directory
Okta
Ping
More IdPs will work, but they aren't specified.
Information from the authentication pane can be used to populate the user's full name (aka Display Name) and the account shortname.
Apple also provides the ability to choose if user channel management should be used (?)
Setup Assistant can be customized to show or hide various windows.
ADE allows Macs running Big Sur to be automatically supervised during activation.
Zero-touch ADE setup has been available for Apple TVs for a while and the capability is now coming to the Mac as well.
All setup screens are skipped and the Mac goes directly to the OS's login window.
Auto Advance for Mac Requirements:
Power
Ethernet connection with DHCP
MDM solution with Apple Business Manager / Apple School Manager
If using encrypted disks (FileVault), you will be required to enter the password to unlock the drive's encryption.
Lights Out Management for Mac Pro
Remotely startup, shutdown and reboot Mac Pro
Requirements:
MDM server
MDM-enrolled Lights Out Management (LOM) Controller
macOS Big Sur
LOM Controller and Mac Pro bein controlled must be on the same subnet and IPv6 must be active.
For diagrams showing how LOM works, see session video.
User-approved MDM
On previous versions of macOS, User Approved MDM could not be supervised. This has changed on macOS Big Sur. Any Mac enrolled in a user-approved MDM will now be considered supervised.
Supervision for user-approved MDM:
Control Activation Lock bypass
Bootstrap tokens for FileVault
Query, list and delete local users
Remove or replace profiles
Install restrictions via MDM which are restricted to Supervised status.
Schedule software updates
Managed Software Update
Force software updates
Defer major OS updates for 90 days
Defer non-OS updates for 90 days
Removal of the software update catalog
Removal of the Ignore Flag
Force software updates = Force Macs to accept software updates and subsequently reboot.
Removal of the Ignore Flag is for major updates only.
Managed Mac apps
Apps can be removed by MDM command and on un-enrollment
iOS-style managed app configuration and feedback is now supported on macOS
MDM can convert an unmanaged app to a managed app
Managed App conversion is not supported for user enrolled devices.
Content Caching:
Support has been added for hosting Internet Recovery
The initial boot image for Internet Recovery isn't included but the full 6 GB recovery image is cached by the caching service.
Tethered caching via profile
Security improvements
More functionality for bootstrap tokens
Bootstrap token: Reserved encryption key provided by your MDM server. It allows your MDM to create admin accounts without needing to authenticate with an admin password.
Bootstrap tokens enable user accounts to get a Secure Token, which is necessary to enable an account for FileVault.
Bootstrap Tokens:
Enable users to get Secure Token
Supported on latest Macs with T2 chips
Authorize software updates and kernel extensions
Profiles
Automated installation of profiles can now only be performed by an MDM. The profiles command line tool will no longer be able to install profiles.
Downloaded Profiles
Brought over from iOS
Workflow designed to prevent mistaken or malicious installation
User must manually install profiles
User has the option of ignoring and not installing the profile
Downloaded profile remains visible and available in the Profiles preference pane for eight minutes.
When using command line tools to install profiles, the profile will be treated as if it were downloaded and you'll have to complete the install in the Profiles preference pane.
Profiles command line tool functions remain the same, with the exception of installing profiles.
networksetup command line tool limitations for standard users
Previously, both standard and admin users had control over the networksetup command line tool. Now, certain limitations have been put in place for standard users.
Limited for standard users:
Read network settings
Turn WiFi power on and off
Change the WiFi access point
Automated Device Enrollment use serial numbers to identify Macs. To address identifiable information in serial numbers, Apple is changing its serial number format.
Serial number format change:
Alphanumeric string of 10-characters
Current products will use existing format, while new products may use the new format.
macOS Management updates:
Configuration Profile Updates:
Accessibility Greyscale key deprecated
Associated Domains option to allow direct downloads
Configure Lights Out Management
Downloaded profiles require manual install via the Profiles preferences pane.
Single Sign-On extension supports the User channel
VPN App Mapping updates
VPN Added Maximum Transmission Unit
New Restrictions
Force Delayed App and Software Updates
New MDM Commands
Content Caching information
Bootstrap Token status
Force restart for Software Updates
Gather Managed App Feedback and App List
Install and Remove Managed Apps
LOM Setup Request and Device Request
Specify short name for local account
Supported LOM Device
iOS
Enable direct downloads for internal websites
WiFi MAC Address access control
Managed Open in Shortcuts
Encrypted DNS
SCEP key size supports 4096 bits
Locations for Apps and Books
MDM Certificate Pinning
Skip Setup Assistant panes
List eSIM Identifier
Shared iPad for Business
Notifications Privacy
Multiple printers over AirPrint
Allow App Clips restrictions
New Restrictions
Set Time Zone
Per Account VPN
Setup Assistant Configuration
Shared iPad Temporary Session
Scalable cfgutil
Apple Configurator now supports Apps and Books Locations, where Locations are different places where devices are kept.
Admins can assign different sets of apps and books for each Location.
cfgutil is now more scalable and supports more devices.
Setup Assistant skip keys have been brought over to iOS from macOS.
Skipping setup assistant panes during upgrades is now possible for all supervised mobile devices, not just those enrolled with ABM/ASM.
