Mobile device

How Apple is updating mobile device management

As expected, Apple WWDC announced a series of significant changes in the management of Macs, iPads, iPhones and Apple TVs in professional and educational environments. These changes largely fall into two groups: those that affect overall device management and those that apply to declarative management (a new type of device management that Apple introduced last year in iOS 15) .

It is important to look at each group separately to better understand the changes.

How did Apple change global device management?

Apple Configurator

Apple Configurator for iPhone has seen significant expansion. It has long been a manual method of enrolling iPhones and iPads into management rather than using automated or self-enrollment tools. The tool originally shipped as a Mac app capable of configuring devices, but it had a major drawback: devices had to be connected via USB to the Mac running the app. This had obvious time and labor implications in anything other than a small environment.

Last year, Apple introduced a version of Configurator for iPhone that reversed the workflow of the original, meaning an iPhone version of the app could be used wirelessly to enroll Macs into management. . It was primarily used to enroll Macs that were purchased outside of Apple’s Business/Education channel in Apple Business Manager (Apple products purchased through the channel can be enrolled automatically with zero-touch setup).

The iPhone incarnation is incredibly simple. During the setup process, you point an iPhone camera at an animation on the Mac screen (much like pairing an Apple Watch) and it triggers the enrollment process.

The big change this year is that Apple has extended the use of Apple Configurator for iPhone to support both iPad and iPhone enrollment using the same process, removing the requirement that devices must be connected to a Mac. This greatly reduces the time and effort required to enroll these devices. There is one caveat: Devices that require cellular activation or have been activation locked will need this activation done manually before the configurator can be used.

Identity management

Apple has made useful changes to managing identities in enterprise environments. Most importantly, it now offers support for additional identity providers, including Google Workspace and Oauth 2, allowing for an expanded set of providers. (Azure AD was already supported.) These identity providers can be used in conjunction with Apple Business Manager to generate Managed Apple IDs for employees.

The company also announced that support for single sign-on registration across its platforms will be implemented after macOS Ventura and iOS/iPadOS16 arrive this fall. The goal here is to make user registration easier and more streamlined by requiring users to authenticate only once. Apple also announced Platform Single Sign-on, an effort to extend and streamline access to enterprise apps and websites each time they sign in to their device(s).

Application-managed networking

Apple has long had per-app VPN capabilities, which only allow specific enterprise or work apps to use an active VPN connection. This enforces VPN security, but limits VPN load by only sending specific application traffic through a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple adds per-app DNS proxy and per-app web content filtering. This secures traffic for specific apps and works similarly to per-app VPN. And it doesn’t require any changes to the apps themselves. DNS proxy supports system-wide or per-application options, while content filtering supports system-wide or up to seven instances per application.

E-SIM provisioning

For iPhones that support eSIMs, Apple allows mobile device management (MDM) software to set up and provision an eSIM. This can include provisioning a new device, migrating carriers, using multiple carriers, or setting up for travel and roaming.

Manage accessibility settings

Apple is well known for its extensive set of accessibility features for people with special needs. In fact, many people without special needs also use many of these features. In iOS/iPadOS 16, Apple allows MDM to automatically enable and configure a handful of the most common features, including: text size, voiceover, zoom, touch layouts, bold text, shrink movement, increasing contrast and reducing transparency. It will be a welcome tool in areas such as special education or hospital and healthcare situations where devices may be shared among users with special needs.

What’s new in Apple’s declarative management process?

Apple unveiled declarative management last year as an improvement over its original MDM protocol. Its great advantage is that it moves much of the business logic, compliance and management of the MDM service to each device. As a result, devices can proactively monitor their status. This eliminates the need for the MDM service to constantly poll for its device status and then issue commands in response. Instead, devices make these changes based on their current state and statements sent to them and report them to the service.

Declarative management relies on declarations that contain things like activations and configurations. An advantage is that a statement can include multiple configurations as well as activations that indicate when or if the configuration should be activated. This means that a single statement can include all configurations for all users, together with activations that indicate which users they should apply to. This reduces the need for large sets of different configurations because the device itself can determine which ones should be enabled for the device due to its user.

This year, Apple has expanded the areas where declarative management can be used. Initially, it was only available on iOS/iPadOS 15 devices that leveraged user registration. Going forward, all Apple devices running macOS Ventura or iOS/iPadOS/tvOS 16 will be supported, regardless of enrollment type. This means that device enrollment (including supervised devices) is supported at all levels, as is Shared iPad (a type of enrollment that allows multiple users to share the same iPad, each with their own configuration and its own files.)

The company has made it clear that declarative management is the future of Apple device management and any new management features will only be rolled out on the declarative model. Although traditional MDM is available for an indefinite period, it is deprecated and will eventually be retired.

This has major implications for devices already in use. Devices that cannot run macOS Ventura or iOS/iPadOS 16 will eventually be discontinued and those that remain in service will need to be replaced. Given the number of devices that are no longer supported, this could mean a costly transition for some organizations. Although it won’t be immediate, you need to start figuring out how big and expensive the transition will be and how you’re going to manage it (especially since it’s likely to require a transition to Apple Silicon, which doesn’t support the ability to run Windows or Windows applications, in process).

Beyond expanding the products that can use declarative management, Apple has also expanded its functionality, including support for password setup, enterprise accounts, and the installation of governed apps. by MMD.

The password option is more complex than simply requiring a password of a certain type. Password compliance is traditionally required for certain security-related configurations, such as sending the corporate Wi-Fi configuration to a device. In the declarative model, these configurations can be sent to the device before a password is set. They are sent with the password requirement and include an activation that will only activate it once the user has created a password that complies with this policy. Once the user has set a password, the device detects the change and activates the Wi-Fi configuration with multiple connections to the MDM service, immediately activating the Wi-Fi and notifying the service that it has been activated.

Accounts – which can include things like mail, notes, calendar, and subscribed calendars – work the same way. A declaration can specify all the types of accounts supported within the organization as well as all the calendars subscribed. The device will then determine — based on the user’s account and role(s) within the organization — to activate and activate.

Installing MDM apps is the most important addition to declarative management, because installing apps is one of the most burdensome tasks for an MDM and the biggest bottleneck during mass activations. devices (such as a massive onboarding of new employees, rollout of new devices, or the first day of school). A statement can specify all potential applications to be installed and sent to a device upon activation, even before it has been delivered to its user. Again, the device will determine which app installation configurations to activate and make available, depending on the user. This saves each device from repeatedly querying the service and downloading applications and their configurations. It also simplifies and speeds up the process of enabling (or disabling) apps if a user’s role changes.

These are significant improvements, and it’s easy to see why these are the first additions to declarative management after its initial rollout. There are still MDM capabilities that haven’t made the leap to declarative use, but it’s obvious that they will eventually – perhaps as early as next year.

This is one of WWDC’s most important business announcements and it’s good to see that Apple put some thought into it when deciding which features to add or update as most of them address difficult, time-consuming, resource-intensive or tedious domains. Apple not only meets the needs of enterprise customers, but demonstrates that it understands those needs.

Copyright © 2022 IDG Communications, Inc.