Last week’s WWDC included nearly 200 sessions. Most of them focused on topics of interest primarily to developers (rightly enough), but many had announcements of interest to Apple admins as well. If you weren’t able to virtually attend, or if you missed some sessions that sounded interesting, not to worry: Here are the 10 announcements we think were of greatest relevance to those who manage Apple devices.
1. Declarative Management
Declarative management is the biggest update to MDM since the protocol launched in 2010. Declarative management allows a device management solution (such as Kandji) to preload a number of configurations on managed devices. Those configurations then lay dormant on the devices, activated only when certain conditions are met. This means devices can become more autonomous and proactive, which means better performance and scalability.
When Apple introduced declarative management last year, the protocol was available only on iOS and iPadOS 15 devices with User Enrollment. This year, Apple enabled the declarative approach for all types of devices and enrollment types. The company also expanded the protocol's communications, adding new status reports (which use a dedicated status channel) and improved syntax for rules that define how a device is to be managed.
For more details, see our post “WWDC 2022: Apple Advances Declarative Device Management.”
2. Single Sign-on
A few years ago, with the release of macOS 10.15 Catalina and iOS and iPadOS 13, Apple introduced single sign-on extensions, which enabled users to authenticate to apps and services using the credentials they’d established with an identity provider (IdP). But even then, users had to sign in once to unlock the device, then sign in again to the extension. More importantly, for that to work, IdPs had to enable those extensions—and few did.
Judging by two of the announcements Apple made this week, however, it’s clear that the company remains committed to making true single sign-on a reality.
The first of these announcements was Platform Single Sign-on. In macOS 13 Ventura (slated to ship this fall), this framework will indeed allow users to sign in once at the login window and, in so doing, also be signed in to apps and websites that use the organization’s IdP for authentication.
Apple also introduced a form of single sign-on specifically for User Enrollment. With Enrollment Single Sign-on, Apple has created a new way for iOS and iPadOS devices to enroll in a device management solution and to access apps and services, all with a single authentication.
For more on both forms of SSO, check out our report “WWDC 2022: How Apple Plans to Make True Single Sign-On a Reality.”
3. Endpoint Security APIs
Apple unveiled its endpoint security API back in 2020, providing a way for security solutions to monitor system security events for potentially malicious activity. By the time macOS Monterey was released in 2021, that API could keep an eye out for more than 100 events in the system kernel.
With macOS Ventura, the company will expand the set of events that the API can observe to user space. That includes events in XProtect, the Malware Removal Tool, authentication events, screen-sharing sessions, SSH, and more. These additions to the API mean developers will no longer need to rely on the deprecated OpenBSM audit trail.
For more details, check out the session “What’s new in Endpoint Security.”
4. Managed Device Attestation
Enterprise security relies less and less on firewalls and VPNs and more and more on individual services—such as device management—establishing trust with users and devices. Managed device attestation is a new security feature for iOS, iPadOS, and tvOS that will use the Secure Enclave to provide strong assurances about client devices, such as their identity and software version, to establish that trust.
By preventing attackers from stealing a device’s private keys, spoofing legitimate devices, or lying about a device’s properties, such attestations can ensure that only legitimate devices connect to organization resources while thwarting attackers.
To learn more, see the WWDC session “Discover Managed Device Attestation.”
5. Rapid Security Response
Rapid Security Response is a new feature that delivers security updates and fixes to devices on a faster cadence than normal OS update mechanisms. This feature will be available on iOS 16, iPadOS 16, and macOS Ventura.
The fixes delivered via Rapid Security Response don’t need to adhere to the software update delay mechanisms that apply to regular updates. Rapid Security Response patches only apply to the latest minor OS versions, so if the latest minor version of the OS has been delayed, then the subsequent Rapid Security Response updates will be too. Mac admins will be able to control the behavior of Rapid Security Response via MDM.
For details on this and items #6-10 that follow, check out the WWDC session “What’s new in managing Apple devices.”
6. Managed Software Updates
At WWDC, Apple touted several enhancements—two recent, one new—to macOS software updates.
The recent improvements included the ability to send minor operating system updates as soon as possible by leveraging a new option called Priority; admins can also control the scheduling priority for downloading and preparing the requested updates, by assigning them a value of High or Low.
As of macOS 12.3, Mac admins can also get more visibility into the update status of their fleets, thanks to some new status messages. The numbers of maximum and remaining deferrals, the next scheduled install, and a history of update notifications are all visible.
Finally, the company says that, when macOS 13 is released, computers will be able to respond to software update commands even when they’re sleeping or in PowerNap.
7. Accessory Security
Accessory security has been available in iOS and iPadOS for some time, but with macOS 13 it will also be available on Mac computers with Apple silicon. This feature defends against close-access attacks by preventing USB and Thurderbolt devices from automatically connecting to a Mac without end-user approval. If the Mac is locked, the end-user will be prompted to unlock the Mac before the accessory can be approved and connected.
Users will have four options for allowing accessories to connect: Ask every time; Ask for new accessories; Automatically when unlocked; and Always. Approved accessories can be connected to a locked Mac for up to 3 days from the last lock; after that, any attempt to attach the accessory will prompt the user again. MDM solutions will be able to control this behavior using the existing allowUSBRestrictedMode restriction (which is being extended to support macOS).
8. Apple Configurator for iPhone
Last year, Apple introduced a version of Apple Configurator for iPhone that allowed admins to add Mac computers that weren’t purchased from Apple or an authorized reseller to their instances of Apple Business Manager (or Apple School Manager).
This year, the company is adding Apple Configurator for iPhone support in iOS 16 or iPadOS 16 so that it can also add iPhone and iPad. To add a device to your Apple Business Manager account, admins will wait for the iPhone or iPad to reach the Choose a Wi-Fi Network pane in Setup Assistant, then use their phones to scan an image. Devices that require interactive activation—because of Activation Lock or cellular carrier activation—will need to have that done manually before attempting to add them with Apple Configurator for iPhone.
9. Require Enrollment on Mac Computers
Automated Device Enrollment requires internet access during Setup Assistant, so the device can enroll in the device management solution. However, until now, Mac computer users could manually opt to skip the internet connection step in Setup Assistant and so bypass enrollment.
Following a future release of macOS Ventura, Mac devices that have been restored or erased at least once will require an internet connection to proceed through Setup Assistant, thus making Automated Device Enrollment mandatory.
10. Google Workspace Integration
News about this one has actually been trickling out for a couple of months now, but Apple used its platform at WWDC to say it again: Apple Business Manager now integrates with Google Workspace as an identity provider.
That means that Apple Business Manager (as well as Apple School Manager) can automatically synchronize user records from Google Workspace with an organization’s Managed Apple IDs. In addition, users of Apple devices can utilize a Google Workspace federated login to authenticate into their work iCloud account and access Apple cloud services—such as FaceTime and Messages—that work with Managed Apple IDs.
This requires you to set up an integration in Apple Business Manager (or Apple School Manager), and devices will have to be updated to the latest OS versions (iOS 15.5, iPad OS 15.5, and macOS 12.4).
Kandji remains committed to bringing the latest Apple technologies to life to make admins' lives easier and more productive. With powerful and time-saving features such as zero-touch deployment, one-click compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace.