Apple WWDC 2019 — What’s new and what’s next with Apple device management

User Enrollment

  • A Managed Apple ID that stands alongside the personal Apple ID.
  • The cryptographic separation between personal and work data.
  • Limited management capabilities over the personal apps and data.
  • IT can’t find out what personal apps are installed on the device and so they can’t restrict certain apps’ use.
  • User enrollment won’t support a full device wipe command. For Exchange server just the account-only remote wipe for removing the managed data is possible.
  • Using the per-app VPN feature, traffic from built-in apps will go through the corporate VPN only if the domain matches with that of the business.
  • The Admin won’t get the UDID or any other persistent information about the user device. Instead, there will be a new identifier called the enrollment ID which will be destroyed once the enrollment ends.
  • The MDM has no option to clear the passcode to unlock the device. No complex passcode can be enforced other than a six-digit passcode.
  • User enrollment doesn’t support any of the supervised-only restrictions and some of the basic restrictions.

ABM and ASM enhancements

Managed Apple IDs for business

Custom apps in ASM

Supervision and Mandatory enrollment

Enrollment customization

Single sign-on extension


Other MDM updates

iOS 13 and iPadOS 13

  • Some unsupervised restrictions like iCloud backup, iTunes access, usage of facetime, etc., are depreciated and transitioning into supervised only.
  • New supervised restrictions including the new QuickPath keyboard, Modify Find My Friends, Find My iPhone and Modification of Wi-Fi (whether Wi-Fi is on or off) were introduced.
  • Desktop-class browsing on iPad — With the desktop-class Safari, Apple is basically changing the user agent on Safari to the desktop version to provide a full desktop experience. So, the iPad will be identified as Mac. This may impact your MDM product if you are using the User-agent string to distinguish between iPad and Mac to customize the UI or enrollment flow.

macOS Catalina 10.15

  • Apple Remote Desktop can be enabled and disabled via MDM. Can also configure options like observe and control that is needed for the on-going management of these Macs using remote desktop.
  • Can use removable accounts with Macs using FileVault. MDM servers can manage a new bootstrap token. They ask the client mac for the bootstrap token. Whenever a new user signs in on that Mac it would request the bootstrap token from the MDM server and used to generate the security token needed to boot the Mac.
  • New security enhancements in the privacy policy payload like enable key loggers, enable screen-recording, whitelist non-notarized internal apps.
  • Enabling FileVault via MDM now requires user-approved MDM enrollment.
  • Added an option to clear Activation lock via MDM just as in iOS. It uses the same endpoint and API as iOS.

tvOS 13

  • Managed software updates.
  • Force automatic date and time.
  • Content caching for screen savers.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.