Apple WWDC 2020- What’s new with Apple device management?

Apple’s midyear event Worldwide Developers Conference (WWDC) was entirely virtual this year. The event WWDC 2020 sets the stage for exciting announcements about the new operating systems, new software, and technologies for software developers and consumers alike.

The consumers have a lot to look forward to as WWDC unveiled interesting new features. App Library and app clips for iOS, and Control Center for macOS are some of the noteworthy developments.

Apple has launched its new OS versions iOS 14, iPad OS 14, and macOS Big Sur. For the Macs, Apple has switched from the Intel processors to custom ARM-based CPUs designed in-house, just as it has been done for iPhones and iPads till now. Apparently, the change would bring about a “whole new level of performance” with efficient usage of power.

What do all these developments mean for Apple device management? Let’s have a look at what’s new in managing Apple devices in the 2020 version of WWDC.

Managing macOS Big Sur

1. Automated device enrollment and setup

Just like for the OS X series, the organization would need to have an Apple Business/School Manager account for zero-touch deployment (formerly Apple DEP). The organization owned devices are automatically enrolled in the MDM when the user selects the language and connects to the Wi-Fi. Enrollment customization allows for brand customization and authenticated enrollment. The use of authenticated enrollment is useful for third-party integrations such as Microsoft Active Directory and OKTA. The IT admins can pre-populate the macOS account name and select which steps are to be shown in the setup assistant.

Auto Advance for Mac

Going the extra mile in the automated device enrollment and setup, Auto Advance for Mac skips all the setup steps and boot the Mac to land right at the login page within seconds. All you have to do to use this feature is to plug-in power and the ethernet cable. A prerequisite for availing this feature is that the network must support DHCP. If encrypted disks are used, the password is necessary to gain access to the device.

2. Lights Out Management for Mac Pro

The admins can remotely startup, reboot, or shutdown one or more Macs even if they are unresponsive. The task is accomplished by sending a command from the MDM server to the MDM-enrolled controller on the Mac network. Lights Out Management requires:

  • macOS Big Sur
  • The Macbook Pros to be on the same subnet
  • The Lights Out Management Payload to be installed.

How does it work?

One of the enrolled Mac devices in the local network acts as the LOM Controller. All the other enrolled Macbook Pros act as the LOM devices. All these LOM devices are connected to the LOM Controller. A command is sent to the MDM server which is received by the LOM controller which in turn distributes it to the other enrolled Macs in the network.

3. Supervision for User Approved MDM

The announcement of supervision for User Approved MDM has revolutionized the face of Apple Device Management. Now, the admins have the same control over the user-enrolled devices as they had on the devices enrolled with Apple Business/School Manager. The admins would be able to query, list, and delete local users, control Activation Lock Bypass, install supervised restrictions profile using MDM, or even schedule software updates.

4. Managed Software Update

Using an MDM, the IT admins can now manage the software updates in the enrolled Mac devices. Here is a list of how IT can manage the software updates:

  • Force the managed Macs to accept the software update.
  • Defer major OS and non-OS updates for 90 days.
  • Removal of software update catalog.
  • Removal of the Ignore Flag for major updates only.

5. Managed Mac Apps

Managed Apps have been around for a long while for iOS devices. For Mac devices, managed apps are a welcome addition. The Managed Mac apps can be removed from the Macs by MDM command or on disenrollment of the devices. Similar to the managed apps on the iOS, app configurations and feedback are supported for the Managed Mac Apps. The unmanaged apps can be converted to managed apps using the MDM solution if the devices are enrolled using the automated device enrollment.

6. Content Caching Information

Content caching is a macOS service that speeds up software installation and helps to reduce internet data usage for the Macs in the same network. This is achieved by saving the content already downloaded by the local Macs in a content cache so that the other devices can retrieve this information without browsing the Internet.

The Content Caching Information command helps the IT admin to determine whether the content caching is turned on and working properly for the users. It gives crucial information such as registration state, cache pressure, bytes served, and many more.

7. Bootstrap Tokens for Easy Security

Bootstrap tokens are encryption keys provided by the MDM server used to create admin accounts in the macOS devices without using a password for authentication. Instead of using complicated workflows for creating the admin account and user accounts, the bootstrap token enables users to get a secure token and boot a Mac that uses FileVault. This is a coveted feature for network accounts. The admins can take advantage of authorized software updates and kernel extensions once this is implemented. Bootstrap tokens are supported on all the latest Macs with Apple T2 Security Chip.

8. Preventing accidental installations of downloaded Profiles for Mac

For iOS devices, the downloaded profiles have to be manually installed from the device settings to prevent the accidental installation of potentially harmful profiles. The feature is now implemented for Mac devices too. To install the downloaded profile, the user has to go to the device System Preferences > Profiles > Downloaded Profiles and install the profile using the user password after previewing it.

The user can choose not to install the downloaded profile. Once downloaded, the profile stays on the system preferences pane for eight minutes before being removed.

9. Preventing silent profile installs from the command line

For enhanced security, complete silent installation of profile using the terminal would no longer be supported from macOS Big Sur. The profiles to be installed using the terminal would be treated as a downloaded profile. The user would have to go manually to the System Preferences and install the profile just like with a downloaded profile. All other features of the profiles command line tool would remain the same and work as expected without allowing the installs.

10. networksetup Limitations for Standard Users

The networksetup tool makes it easy for the users to view and edit the network settings using the terminal. Previously, the admin and standard user accounts had the same control over networksetup. With the advent of Big Sur, there is now a clear set of limitations for standard accounts. The standard users can:

  • Read network settings
  • Turn Wi-Fi on or off
  • Change the Wi-Fi access point.

The device security is additionally hardened by a new Privacy setting: “Require an administrator password to access system-wide preferences”. However, admins can get around this setting using the sudo command.

11. Format change for Serial Numbers

Serial numbers of the Mac devices serve not only as unique identifiers but also for automated device enrollment. The existing 12-digit serial numbers contain bits of identifiable information such as where and when the device as built. To prevent malicious use of identifiable data, Apple will now use completely random 10-character serial numbers.

Managing iOS 14 and iPadOS 14

1. Locations for Volume Purchased Apps and Books in Apple Configurator

Apple Configurator is a great method to deploy iOS, iPadOS, and tvOS devices when time is of the essence. The devices can be configured with ease and speed by the Apple Configurator app using a USB cable. Now, the Apple Configurator supports Locations for Apps and Books provided by Apple Business/School Manager. Locations can be used to distribute entirely different sets of apps and books to different devices as per the enterprise requirements.

2. Setup Assistant Skip options

The Setup Assistant Skip keys allow you to skip the setup panes and get to the home screen of the device with minimum steps. Two new keys have been introduced for the purpose:

  • Getting Started
  • Update Completed

The Setup Assistant Payload can be used to skip the setup panes during the upgrade for all supervised devices.

3. Shared iPad for Business

Schools have been using shared iPads for providing a personalized experience for the students even if they are sharing the iPads. Now, businesses can use shared iPads by signing in with the Managed Apple IDs created by Apple Business Manager. This feature would prove to be a boon for service industries like restaurants for taking orders from their customers.

With Microsoft Azure Active Directory integration, users can sign in to the shared iPads using federation authentication. Shared iPads also support Single Sign-on extension.

Additionally, shared iPads supports dynamic number of cache users that allows you to set the amount of storage for each user. The IT admin can also delete all the users of the shared iPad at once.

How to use a shared iPad without a Managed Apple ID?

The users can sign in temporarily to the shared iPads without needing a Managed Apple ID. On signing out, all the data associated with the temporary session would be deleted. It is a quick and easy way for using a shared iPad with minimum hassle.

4. Prevent the uninstallation of Managed Apps

To prevent the removal and offloading of critical managed apps by the users, specific managed apps can be marked as non-removable. When the user attempts to delete or offload a managed app, an alert is displayed and it is prevented.

5. Managed Open-in for My Shortcuts

Shortcuts are a new productivity feature for getting things done quickly. What does managed open-in for shortcuts mean? When a shortcut triggers an action where the data flow is not allowed, the shortcut immediately stops running. This is done by preventing the data flow between the managed and unmanaged apps and services. This ensures that the organizational data is protected from accidental leakage.

6. Managed Notification Previews

Device and data security can never be compromised on. With managed notification previews, you can prevent the apps from displaying message previews in notifications. The IT admin can choose to show the preview always, when unlocked or never. This feature is available only on supervised devices.

7. Set Time zone for managed devices

Remote management of devices across different locations in the world is becoming the norm these days. Setting the correct time zone is an essential feature for IT admins. For devices located in different parts of the world, Apple has introduced the capability to choose specific time zones for individual devices. This feature is not dependant on the location services of the device.

8. Per Account VPN for iOS

Virtual Private Networks allows users to send and receive data across public networks. IOS supports three types of VPN:

  • Full Tunnel: Allows all traffic to pass through it.
  • Split Tunnel: Chooses which traffic to pass through it.
  • Per-App VPN: Allows only certain apps flow through it.

The newly introduced Per Account VPN for iOS allows you to choose a replacement VPN for Contacts, Calendars, and Mail domains. Just like you can associate the traffic of an app with the VPN, individual accounts can be associated with the VPN.

Encrypted DNS

The connections to a DNS server are often unsecured. Encrypted DNS settings allow you to enhance security without the need for configuring a VPN. The secured DNS can be managed using an MDM solution.

9. Wi-Fi Mac Address Control

Beginning from iOS 14, a new security feature has been introduced. Whenever a device connects to a Wi-Fi network, it will use a random MAC address instead of the original device MAC address. For enterprise networks and captive portals, this feature may result in unexpected behavior. If the device fails to join such a network, the device would use its original MAC address. This feature can be disabled by the user in the device settings. The IT Admin can also disable this feature using the Wi-Fi payload.

To sum up…

Each update of Apple’s OS platforms brings with it a wide array of tempting features for consumers and professionals alike. Many new ground-breaking features and technologies have been announced in WWDC that could totally change the face of Apple device management as we know now.

Hexnode MDM is an award winning Enterprise Mobility Management vendor which helps businesses to secure and manage BYOD, COPE, apps and content.