In case you hadn’t heard, Apple is holding its annual Worldwide Developers Conference this week. While the Vision Pro headset and other consumer-oriented hardware got most of the attention, Apple also made some announcements of particular interest to Apple IT admins. It was, in fact, one of the most momentous WWDCs for admins since the spring of 2016.
Here’s an overview of what Apple announced regarding device management at WWDC. We’ll be taking deeper dives into many of these topics in the weeks and months to come.
Expanding Declarative Device Management
One of the most intriguing announcements that Apple made: The company says it is extending its declarative device management (DDM) framework to encompass software updates. That means that end-user devices will take a leading role in deciding when and how to update their own operating systems, potentially making those updates more consistent and more timely.
Declarative device management was first announced back in 2021, and Apple has been iterating on it ever since. At launch, it applied only to user-enrolled iOS and iPadOS devices, and it supported only a small set of configurations and declarations. Since then, Apple has expanded the scope of DDM’s compatibility and capabilities.
At WWDC 2023, that trend continued. Specifically, Apple said that it would be adding software update management and certificate deployment to DDM’s bag of tricks, along with additional status reports and the ability to more easily convert existing MDM profiles to DDM declarations.
It will also give devices more autonomous control over some system services built into macOS, including such standard tools as bash, zsh, and sudo. Stay tuned: We’ll have a deeper look into what’s new with declarative device management soon.
New Ways to Deploy Apple Devices
Apple is also planning to make the process of deploying devices to users easier for admins, in a couple of different ways.
First of all, it’s updated Automated Device Enrollment so that admins can be sure the devices they’re putting into production meet their security requirements. Specifically, for Mac computers, Apple is allowing admins to check that FileVault is on, that the Mac is running the right version of macOS, and that the computer is enrolled in MDM if it should be.
Apple has also created a new return-to-service workflow for iOS and iPadOS devices. Currently, if you wanted to transfer such a device from one user to another, you had to manually guide it through Setup Assistant; you could erase them remotely, but someone still had to intervene physically to complete the transition or use a tool like Apple Configurator. Now, MDM solutions will be able to include additional information in remote erase commands, including the details required to connect to Wi-Fi and enroll into MDM, obviating the need for that hands-on intervention.
There are also some nice updates coming to Apple Configurator. On Apple Configurator for iPhone, adding a device to your Apple Business Manager (or Apple School Manager) instance takes two steps: First you add the device to your organization in Configurator, then you go to Apple Business Manager (or Apple School Manager) and assign the device to your MDM solution. In the future, that second step won’t be necessary: Admins will be able to to automatically assign devices to their chosen MDM solution from Configurator itself.
Apple Configurator for Mac will be getting more support for automation, thanks to the addition of Shortcuts. As with the Shortcuts app on Mac, iPhone, and iPad, Shortcuts in Configurator for Mac will allow you to build workflows from a series of individual actions to do things like updating, erasing, and preparing iPhone and iPad devices.
Again, stay tuned: We’ll take a closer look at these new deployment options soon.
In addition to the above, Apple provided plenty of smaller but still powerful updates relating to the management of Mac computers.
For example, admins will be able to define password requirements for managed devices using regular expressions (if they wish). Apple is also refining the process for letting end users know when their chosen passwords are out of compliance: When a stricter password policy is installed via MDM, the user will see a notification that their password no longer meets its requirements. Compliance with the new policy will be checked every time the user logs in, and notifications will recur as long as the problem persists.
There are also some refinements to the restrictions payloads delivered by MDM. Specifically, when macOS Sonoma ships this fall, admins will have access to new restrictions that will (among other things) prevent users from modifying Apple ID logins and internet accounts, adding new local user accounts, and performing Time Machine backups.
The next version of macOS will also introduce a more refined approach to application management. With macOS Big Sur, admins were given greater power to manage applications, meaning they could configure those apps to be removed via MDM or automatically when a device was unenrolled. But in order to be manageable, an app had to install just one application file in the /Applications folder. With macOS 14, that limitation goes away: A given package will be able install multiple applications into /Applications, and they’ll all be manageable.
Finally, there’s a sophisticated new security tool coming to Mac. Last year, Apple introduced Managed Device Attestation to iOS, iPadOS, and tvOS. Attestation allowed a device to provide strong evidence about itself—based on its Secure Enclave—which meant the device could prove its own identity to a service. Now that attestation model will be available on the Mac as well.
Managing iOS and iPadOS
In addition to the return-to-service workflow and Apple Configurator updates we described above, iOS and iPadOS will get some new options when it comes to cellular connectivity. Specifically, last year, iPad devices began to support private LTE and 5G networks, thanks to their new ability to install eSIMs through MDM. Now that same support is coming 5G-capable iPhone models.
On both platforms, searching and associating with such private networks has required that SIM to be always on, which can drain battery life. Apple says it’s found a more energy-efficient way—using geolocation—to enable such SIMs only when they’re needed to locate a nwetwork.
Managed Apple IDs
As you likely know already, Managed Apple IDs are owned and controlled by organizations, which assign them to individual users. Those users can then use those IDs to access organization assets—such as company-owned iPhone and iPad devices—while keeping their personal Apple IDs (and the assets they unlock) separate and private.
At WWDC this week, Apple announced that it’s expanding the list of services available to Managed Apple IDs. That roster now includes Continuity, as well as iCloud Keychain and Apple Wallet.
The company also said that it has created a new set of controls that will allow organizations to more precisely delimit the things Managed Apple IDs can unlock. For example, admins will soon be able to define the management state a device must be in before its user can sign in with a Managed ID.
Apple will also make it easier for organizations to coordinate their Managed Apple IDs by federating with their identity provider (IdP). It will soon support OpenID Connect in Apple Business Manager and Apple School Manager (where Managed Apple IDs are born), opening the door for organizations to federate with a wider range of IdPs.
As we said up top, we'll be diving more deeply into these announcements in the weeks and months to come, as Apple rolls out pre-release versions of its new operating systems and we begin to explore their possibilities.
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.