What’s new in managing Apple devices

Hello and welcome! My name is Cyrus Daboo and I am an engineer on the Device Management team. I'm here to show you what's new in managing Apple devices.

Here's what I have for you. I'll discuss what's new in Apple services.

I'll then cover a number of additions to declarative management.

Followed by updates to app management.

And details of new identity management features.

I'll finish off with a quick update to some education-related technologies.

First, some updates to Apple services for business and education. Apple Business is a new all-in-one platform, that combines tools for businesses of all sizes, to effectively run and grow their organization.

This includes a big expansion, with Apple Business now available in over 200 countries and regions. This gives your organization features like zero-touch deployment, Managed Apple Accounts for users, and the new built-in device management features.

This makes it easier for businesses to quickly get started with managing Apple devices.

To support automation of these new features, there are new APIs for Apple Business, including creating Blueprints and Configurations, modifying users and groups, app license information, and getting audit events.

These join the existing APIs to list servers, devices, and inventory, manage the assignment of inventory to device management servers, and get AppleCare warranty details for devices.

Be sure to check out the documentation on the new APIs to start building them into your products.

There's also a new volume licensing mechanism for subscriptions in App Store apps. This allows IT administrators to purchase and manage app subscriptions. It'll be available later in Apple Business and Apple School Manager. You can use a device management service, to assign app subscriptions using the same workflows, that already exist for distributing apps at scale. Take a look at the "Offer subscriptions to groups and organizations" video for all the details.

These are exciting new features, and Apple Business and Apple School Manager will continue to evolve to meet the needs of IT teams everywhere.

Now I'll cover changes to device management support on Apple devices. I want to start by revisiting a core pillar of Apple's device management story. "The future of device management is declarative management" - which describes the move to declarative management. But the future is now.

Declarative management isn't something on the roadmap anymore. It's here. It's shipping. It's in production across fleets around the world. If you're managing devices today without using it, you're working harder than you need to. So now "The standard for device management is declarative management." The declarative management enhancements I'll cover here weren't built in isolation.

They were built alongside the great new hardware that was recently released. There is incredible momentum in business and education, thanks in part to all new Mac computers. MacBook Neo is great for many first-time Mac users, particularly in K-12 and higher education.

And the performance improvements in the latest MacBook Air and MacBook Pros, are ideal for demanding AI workflows popular in enterprise.

Together, this tells one clear story: the Mac and the full Apple device lineup isn't just a choice for business and education. It's the choice.

To make it easier to switch to a new Mac, a new managed migration feature is available to help migrate data, while preserving device management enrollment and settings.

To activate this, a new declarative configuration is deployed to the device right after device management enrollment.

This gives IT administrators control over which accounts, files, and security and privacy settings are migrated. Migration Assistant reports declarative management status, so IT administrators can monitor the progress of migration. These settings are shown to the user, but they're locked. All the user needs to do is click Continue, to begin the migration process. This is a great way to get your users up and running with a new Mac.

The 26.4 releases also included new declarative configurations for Apple Intelligence, Siri, and keyboard settings.

And in the latest releases, these configurations have been updated, to provide IT administrators granular controls for the individual Apple Intelligence and Siri features, that are now available to users.

Now I'll go over how you can leverage the power of the declarative management data model, starting with credential management. Configuration profiles have limits on how they can reference credentials, often forcing large profiles to be used, and making the update process inefficient. Since the declarative model supports a many-to-many relationship, multiple configurations can reference a single credential.

Configuration profiles that use credentials are being transitioned to declarative configurations, so managing the lifecycle of credentials is much more efficient.

When you need to refresh a credential, your server only needs to change the asset, and the device takes care of updating all the configurations that use it.

Here are the new configurations.

Whenever these configurations need a credential be it a certificate, identity, or password, a declarative asset is used for the credential data.

The status channel is another powerful element of declarative management.

It removes the need for servers to continually poll devices for state changes.

The new release adds a number of declarative status items, such as the enrollment type, awaiting device configuration, return to service state, Shared iPad, the device's current push token, and several more. Plus there's a new status item to indicate if Lockdown Mode has been turned on by the user.

A new feature that the status channel exposes is device system health monitoring. iOS and iPadOS devices can report issues with hardware components to users, through the Settings app. Now iOS and iPadOS 27 can provide this same information in a new declarative management status item, for device system health.

This includes hardware components such as the baseband, camera, Face ID, Touch ID, and more.

This gives IT administrators a comprehensive view of device health across their entire fleet, so they can take proactive action and keep users productive.

Another new feature for device management is one that streamlines the process of collecting and submitting logs to AppleCare for analysis.

Today, AppleCare support staff have a way of providing customers with a link that triggers an enhanced log collection process on the device. In iOS, iPadOS, tvOS and macOS 27 releases, IT administrators can now start enhanced log collection on organization-owned devices.

That is done by using the new TriggerEnhancedLogCollection command.

Thus IT teams can facilitate AppleCare collecting these vital logs when needed.

And declarative status is available to help IT teams monitor this process.

Another area with expanded status is Content Caching. Content Caching reduces bandwidth usage and speeds up installation of software updates, applications, Apple Intelligence, and other content on Apple devices, by storing those items on Mac computers hosted on the local network.

Content caching servers can be scaled to support large organizations with wide-spread networks. In macOS 27, there's now a declarative configuration to control the Content Caching service on a Mac, and new declarative status items to report on the state of the service. This gives IT administrators a direct way to monitor the health of their content caching server fleet. Also, content cache servers have a new feature that allows them to directly send their own reports to an arbitrary HTTPs endpoint.

This allows for more sophisticated monitoring consoles to be built to help IT administrators. All these new status items provide device management services with even more ways to report useful, and critical information, to IT administrators and support staff. Remember, adding support for declarative status items, is a simple matter of subscribing to the items, and the device then sends any changes to the status values to your server as they occur.

Another important area of device management is managing and configuring apps. This is one of the most important aspects of device management. So now I'll describe the changes in this release for app management. First, the declarative app configuration feature available in iOS, iPadOS, and visionOS is now coming to macOS 27. This allows for secure provisioning of managed apps with credentials and configuration, including the ability to use hardware-bound keys and to enable Managed Device Attestation support, for authenticating apps and extensions with enterprise services.

This opens the door to more secure enterprise app deployment and configuration on macOS. Please encourage your enterprise app developers to adopt the ManagedApp framework in their products, to help keep your organization operating smoothly and securely.

Next, packages. macOS 27 now gives IT administrators the option to remove all the files and directories that are installed by a declarative management package, when the package configuration itself is removed.

This ensures unwanted data and files are not left behind on devices when no longer needed.

Now I want to cover privacy settings.

Disclosure and consent is a key element of Apple's approach to privacy. This means users are presented with prompts, when apps or websites in Safari, try to access features like the camera, microphone, or location. For some workers this means having to tap though multiple prompts for the apps they use everyday. These prompts may be quickly dismissed by users, resulting in improperly configured apps. To streamline this process, in iOS, iPadOS and macOS 27, there is a new consolidated privacy consent prompt, which is shown when an app is first launched, or a website first appears in Safari. Let's examine how this works for apps. The prompt shows the name of the organization and app. A justification string provided by the IT administrator, and details of each component whose privacy default is being recommended, along with the app's own justification for each one. This gives the user a clear picture of what is being asked for, and why, and by whom.

There are two buttons in the prompt. If the user chooses Allow, then the defaults are applied to the privacy settings, and no additional prompts appear as they use the app. If the user chooses Not Now, then consent prompts appear when they use the app and it accesses the components, just like the unmanaged state.

Importantly, the Allow button is the default button, and is clearly highlighted to steer the user towards making the right choice. The same prompt for apps also applies to websites asking for privacy permissions in Safari. The same elements are present, and again the default button is clearly shown. Here are the privacy components that can be managed for both apps and websites. IT administrators determine which of these a user needs access to in their apps, or on websites, and then they create a declarative configuration that lists the app or website, together with the selected components.

These new controls preserve user privacy, while eliminating multiple prompts. It also gives IT administrators the comfort in knowing that users are now more likely to make the right choice.

Now let's turn our attention to a critical part of managing apps on macOS: the ability to control which apps, and other binaries are running.

Mac computers contain a collection of apps from the App Store, and other binaries and executables likely installed from outside the App Store. Many of these are managed, but there are many more that are installed intentionally or unintentionally by the user, but those don't always comply with the organization's requirements.

Organizations need control over allowed binaries to meet compliance regulations. So, in macOS 27, new declarative management settings are available to control binary execution. This uses the Endpoint Security framework to allow or deny binary execution, and to shut down any processes associated with a binary that has been denied.

There are flexible rules to match binaries, which utilize code signing properties, to ensure the matched binaries are indeed the ones the IT administrator wants to control.

There is also an option to automatically allow any managed app, without having to add specific rules for each one.

The new app privacy controls and binary blocking restrictions are part of a new declarative app.settings configuration. And the Safari website permissions are part of the existing declarative safari.settings configuration.

These are great new capabilities for controlling apps, binaries, privacy prompts and more.

Now I'll cover another important enterprise feature for Mac computers: the use of platform single sign-on to integrate with identity providers.

The last few releases have significantly improved and enhanced Platform SSO on macOS, to simplify setup and better support shared workflows. All of it grounded with the goals of making login more intuitive, highly secure, and providing more phishing resistant ways for organizations to keep their users and their data on Mac computers safe.

And we are taking Platform SSO even further with macOS 27, starting with a new login and unlock experience. Right from the start it's clear to the user they are using their organization's credentials. Users can enter their password or use Touch ID, as they do today.

Touch ID is the most secure and convenient way for users to unlock their Mac, but until now it's been optional. New in macOS 27 is the ability for IT administrators to require users to use Touch ID, in addition to entering their password on organization devices, offering a built-in second factor. This is enforced when logging in, at screen unlock, and even for the FileVault unlock process.

Modern authentication standards allow for many different ways to authenticate users, offering security features to prevent phishing attacks, as well as adapt the authentication interface to match organization branding, security policies, and user demographics. This includes one-time codes for multi-factor authentication.

Push notifications for conditional access workflows.

And QR codes for a password-free sign-in, designed for young learners and shared-device environments like healthcare, retail, and logistics. And there are lots more. To support these, macOS 27 introduces a new web-based authentication option for Platform SSO. Identity providers and organizations now have the ability to use a secure web view that renders in the login window and screen unlock. This can run any modern authentication flow including custom challenge-response sequences. The web view operates within a tightly controlled execution context managed by the operating system, to ensure organizations and users are protected. Also, the web view can scan a QR code. When a scan is initiated, the camera operates entirely within a secure system process, completely isolated from the web view itself. The web page only receives the decoded data from the QR code, never the raw camera feed or any image data.

This ensures that websites can't capture images of the user or their surroundings, even inadvertently. Web authentication works across the login window, screen unlock, and the FileVault unlock process. And provides secure and enforceable authentication. Offline authentication is also supported, to ensure continuity of access without weakening the security posture of unconnected devices. For enterprises, this opens up deep customization such as: localized sign-in pages, accessibility-optimized flows, conditional prompting based on device state, and seamless integration with existing identity infrastructure. Developers like Authentik, ClassLink, and Identity Automation, are working to enable the new web-login and QR code support for Platform SSO in their products.

Now let's cover Authenticated Guest Mode with Platform SSO. It allows users, such as as a nurse or doctor going from room to room, to quickly and securely login to a shared Mac in a temporary session. macOS 27 now extends this capability to allow an authenticated guest user, to also sign in on FileVault protected Mac computers, to unlock FileVault itself. So full disk encryption is now available to protect the data on the device, as the authenticated guest user uses the device, ensuring compliance with data protection regulations. This functionality is automatically available on devices configured for Authenticated Guest Mode, and doesn't require additional configuration.

Authentication shouldn't be a barrier, it should be a bridge. And the best sign-in is the one users don't even have to think about.

These new identity and login capabilities give organizations the flexibility to design experiences that feel effortless for users, and the confidence that security is assured.

Finally, a quick look at some updates to our education offerings.

I just covered Authenticated Guest Mode for macOS, and now I can share that it is also coming to Shared iPad later in this release. When enabled, iPad boots into a temporary session and presents a login screen, where users sign in with their Managed Apple Account. The sign-in can use native authentication or federated authentication with an identity provider, with full support for Single Sign-On. In the temporary session, users see their user name in the top-left corner of the screen. Also, the temporary session shares device capacity with the system, with no hard quotas, making use of storage much more flexible. When they sign out from the lock screen, all local data and the Managed Apple Account are automatically removed from the device. This is a great addition to Shared iPad that gives you even more ways to deploy it.

Devices such as iPads and Mac computers have become the norm for classroom learning, but it's often hard for teachers to keep students focused on the task at hand during class. I am pleased to announce a new guided browsing feature in the Classroom app. Teachers can lock the websites that students can interact with, to one or more tabs using Classroom app. And they can lock students to a single tab for an immediate focal point. Teachers can configure what websites to use in this mode, by directly entering them, or by using bookmarks they prepared while planning the class work. They can limit students ability to navigate inside or outside of websites. And they can grant access to camera and microphone and students have agency over whether they remain enabled. They can navigate one student or many to the set of chosen web sites. The student devices open the guided browser and show the appropriate websites. Taken together, these capabilities help address a key problem in classrooms today.

So, that's a quick overview of some of the exciting new features, available in Apple devices and platforms in this release. All the device management object schema and documentation are available for you right now on the open source GitHub site, and developer.apple.com.

Also check out the "App Attest" video, which provides details on new ways to securely identify enterprise apps.

And finally there's the "Assessment mode" video for all the new features available to assessment mode app vendors.

The standard for device management is declarative management, and with great new Mac hardware and powerful mobile devices, combined with the great new device management features in this release, you can make it your standard. You can provide your users with the best in class experience everyone expects from Apple devices. Now's the time for device management vendors, and identity providers, to build support for these features, so IT administrators can deliver them to users without delay. Thank you and enjoy the rest of your WWDC.