What’s new in Apple device management and identity

Learn about enhancing device management for organizations and developers, updates to Apple Business Manager and Apple School Manager, improved device and app management, and new identity integrations, all aimed at balancing user productivity and organizational security.

Apple Business Manager and Apple School Manager are free web-based services that enhance device deployment and management for organizations. Managed Apple Accounts, designed for work and school, provide IT with full ownership. Last year's updates included the ability for IT to lock domains. This year, administrators can download lists of personal accounts, and enforce the use of work accounts on organizationally owned devices, all without MDM dependency. Device inventory is expanded to include more details, such as Activation Lock status, storage, and cellular information. Later this year, MAC addresses for Bluetooth and Wi-Fi on iPhone and iPad will be added, as well as AppleCare coverage information. New APIs allow organizations to interact with device inventory data and MDM server assignment, streamlining management processes. Automated Device Enrollment is now extended to include Apple Vision Pro, and account-driven enrollments are easier to set up, utilizing the MDM server to configure the service discovery URL. A new feature enables device management migration between MDM servers, simplifying the process for acquisitions, shifts in MDM solutions, or changes in infrastructure, and preserving apps and data during the transition. Device management migration is now available within Apple Business Manager and Apple School Manager.

Device management is enhanced across all platforms, including Apple Vision Pro and Apple TV. Key updates include the expansion of Declarative Device Management for software updates, which is now the standard method, replacing the older, deprecated MDM system. Safari management is also improved, allowing organizations to control bookmarks and set default homepages. All Safari management is now available in Declarative Device Management. The Return to Service process is streamlined for iPhone, iPad, and now Apple Vision Pro, preserving managed apps during resets, saving time and reducing network strain. Additionally, new features for battery health monitoring, default app settings for messaging and calling, new restrictions to limit Messaging and FaceTime, and a new Network Extension URL Filtering API are introduced.

iOS, iPadOS, and macOS now offer enhanced app management features for IT teams, including per-app update control, version pinning, real-time visibility into app installations, and cellular download restrictions. These updates, released in iOS and iPadOS 18.4 and visionOS 2.4, and coming to macOS Tahoe, provide greater security and control over managed apps. The new ManagedApp framework enables secure app configurations and customization.

Updates to identity integrations for Mac enhance security and user experience. Platform SSO registration is now integrated into Setup Assistant during Automated Device Enrollment, streamlining the process for one-to-one deployments. The system prompts people to authenticate with their identity provider, and creates a local account with synchronized passwords or Secure Enclave-backed keys. For shared-use deployments, Authenticated Guest Mode allows people to log in using their cloud identity, and all data is wiped upon logout. Tap to Login, enabled by NFC readers and corporate badges or school IDs in Apple Wallet, further expedites this process, providing a secure and convenient way for people to access resources in environments like education, retail, and healthcare.

There are also new features for Managed Apple Accounts, including enhanced Services API capabilities, streamlined device migration, improved app distribution, and shared Apple Vision Pro. Platform SSO now allows Mac sign-in with iPhone or Apple Watch. Detailed documentation is available at developer.apple.com.