User Profile

Notes from What's new in managing Apple Devices (Tuesday, June 8th 2021): https://developer.apple.com/forums/thread/681765

I took notes during the "Discover account-driven User Enrollment" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc21/10136

Question: Will be able to manually add macOS Monterey devices into Automated Device Enrollment similarly to how we can manually add iOS devices using Apple Configurator? Answer: Use Apple Configurator for iPhone for this. For more information, please see the following link for the Manage Devices with Apple Configurator" session video : https://developer.apple.com/wwdc21/10297 Question: Will Apple provide a way to configure Automated Device Enrollment so that macOS Monterey Macs cannot skip the device enrollment process? Answer: Not at this time. please submit feedback if you want this feature. Question: Will Apple provide a method of being able to re-trigger the enrollment check at the macOS Monterey Setup Assistant if the remote management screen does not appear? Reasons it may not appear may include network issues, device was incorrectly assigned in Apple Business Manager or Apple School Manager, MDM issues etc. Answer: This should be do-able. Please submit feedback if you want this feature. This also sounds like a good idea to iOS, please submit feedback if you want to see this feature on iOS as well. It was suggested that the feature to trigger the re-checkin should only be available on the Setup Assistant screen which appears in place of the Remote Setup screen. The reason is that, if you get further into Setup Assistant, you may set up your account or make choices for your Mac's settings which conflict with the settings your MDM server has for Automated Device Enrollment. Question: What are Apple's plans, if any, to support using Apple's own two-factor authentication system (not the two step one which uses SMS) to log into a Mac running macOS? Answer: Apple does not discuss future plans. Please submit feedback if you want this feature. Apple School Manager does include the ability to generate verification codes. If you want to have Apple Business Manager support a similar feature for ABM's Managed Apple IDs, please submit feedback for this feature. Question: What are Apple’s plans, if any, to support Azure AD workplace join as a replacement for on-premise Active Directory binding? Answer: Apple does not comment on future plans. Please submit feedback if you want this feature.

I took notes during the "Manage Devices with Apple Configurator" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc21/10129

I took notes during the "Move Beyond Passwords" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc21/10106

Question: As of macOS Big Sur, it is not required for an installer package to be signed or notarized in order for it to be installed via Installer.app or the installer command line tool. Is this still the case on macOS Monterey? If it is not, what requirements have changed? Answer: Restrictions are the same as on macOS Big Sur for installer packages with regards to notarization. Question: Is there any additional guidance from Apple on the installation and use of multiple solutions using System Extensions and/or Network Extensions when it comes to co-habitation? For example, is it supported by Apple to have two "Network Filters" (each managed by a separate application) installed and active? Answer: Having multiple network system extensions installed is supported by Apple. Multiple content filters are supported on iOS and macOS: iOS: 2 filters maximum macOS: 8 filters maximum Question: As of macOS Big Sur, it is not required for an application to be signed or notarized in order for it to be installed or run on an installation of macOS with Apple's full security settings enabled. Is this still the case on macOS Monterey? If it is not, what requirements have changed? Answer: Restrictions on macOS Monterey are the same as on macOS Big Sur for applications with regards to signing and notarization. Question: What are Apple’s plans, if any, to support Azure AD workplace join as a replacement for on-premise Active Directory binding? Answer: We see you're also signed up for the Friday Security lab, we'll see if we can get this question answered there. Question: What are Apple's plans, if any, to support using Apple's own two-factor authentication system (not the two step one which uses SMS) to log into a Mac running macOS Answer: We see you're also signed up for the Friday Security lab, we'll see if we can get this question answered there.

Question: Will Apple be eliminating the use of kernel extensions on macOS Monterey? Answer: No. In general, restrictions are the same as on Big Sur but as Apple adds new APIs for system extensions, new restrictions may be added for kernel extensions. If kexts are whitelisted by MDM, behavior is the same as on Big Sur. Question: Does Apple have any plans to support “managed” migration assistant so supervised devices can easily transfer user data from old to new macs without compromising MDM enrollment. Managed with a profile to ensure only specific data can be migrated would be very helpful. Answer: Not at this time, please submit feedback if you want this feature. Question: Is there any additional guidance from Apple on the installation and use of multiple solutions using System Extensions and/or Network Extensions when it comes to co-habitation? For example, is it supported by Apple to have two "Network Filters" (each managed by a separate application) installed and active? Answer: Having two network filters installed and active is supported by Apple. Consult with your vendor or vendors for best practices. Question: Can admins enforce software update deferrals for X number of days after they’re released by Apple, rather than X number of days after a given device first sees the software updates? Answer: Software deferral is based on the date metadata associated with the update and that's in macOS today. Question: Can admins force Mac users to install software updates on macOS Monterey without interrupting users with a surprise reboot? Desired state is to gracefully prompting users to install mandatory updates, but also have those updates have an admin-chosen deadline where the updates get installed automatically without further deferral. Answer: There are a number of changes in macOS Monterey which address these concerns. Please see the "Manage software updates in your organization" session video. One change is that you can schedule using the marketing version number instead of a product key. For example, you can now specify "macOS 12.1" instead of a specific product key. Question: Are printer drivers still supported in macOS Monterey? Answer: Yes. Question: Since Apple Silicon Macs technically can support NetBoot, can NetBoot be restored as a device provisioning tool? Answer: NetBoot is not supported as a mechanism for macOS provisioning on Apple Silicon Macs. Question: What are Apple’s plans, if any, to support Azure AD workplace join as a replacement for on-premise Active Directory binding? Answer: Apple can't comment on future plans. Please submit feedback if you want this feature. Apple does offer the Kerberos extension for connecting to on-premise Active Directory.

I took notes during the "Faster and Simpler Notarization for Mac apps" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc21/10261

I took notes during the "Notes from Meet Declarative Device Management" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc21/10131

I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Notes from session For the session video, please see the following link: https://developer.apple.com/wwdc21/10130

Kernel extensionsProblems:Difficult to develop and debugStability problems for systemSecurity problems for systemIntroducing System Extensions and DriverKitNew as of CatalinaSimilar to kext, but runs in user space; outside the kernel.Network extensionsEndpoint Security extensions- Replacement for Kauth event monitoringDriver extensions- Control hardware devices- Uses DriverKit, which replaces IOKitDeprecating kernel extensions:macOS Catalina will be the last OS version to run kernel extensions without compromise.Installing third party kernel extensions on macOS Catalina now requires that you restart your Mac before they’re permitted to load.As System Extensions and DriverKit adds functionality, kernel extensions with matching functionality will not load.System Extensions- Always part of the app- No such thing as a "standalone system extension"- Distribute via the MAS or Developer ID (MAS deployment not previously possible with kernel extensions.)Sign System Extension with a Developer ID or MAS certificate- Developer ID for Kernel Extensions certificate is no longer required.System Extension with a Developer ID must be notarizedInstallation- No installer or package is necessary, System Extension is inside the app bundle.Use the new SystemExtension lifecycle is managed by the systemSystem Extension will be stopped and started as needed.UninstallationMoving app to the trash deactivates all of its extensions. No special uninstall process is needed.

What's New in Education Yay, developers. You made a lot of apps for education. Apple Schoolwork Enables teachers to share materials, assign activities and track student progress. Latest version of Schoolwork has a new design, which makes it easier to switch between Handouts and Students view. The Chooser now has more metadata options available for listed activities, including thumbnails and summaries. Adopt the Classkit framework. ClassKit allows your app to report information into Schoolwork. ClassKit by default secures student data and only makes it available to privileged users, like teachers. Activities can only be tracked if assigned via a Schoolwork Handout. Learn more about ClassKit and the new ClassKit Catalog API by watching the "What's New in ClassKit" session video. Apple School Manager (ASM) IT admins can create classes and manage account credentials. Enrolling devices into MDM is made simpler by Automated Device Enrollment. Enroll devices and streamline their setup Buy apps and books for students Distribute custom apps Create Managed Apple IDs for students Assign privileges to IT team members ASM, Classroom and Schoolwork integration ASM-created classes are available in Classroom and Schoolwork. Updates from ASM are synced down to Classroom and Schoolwork. When students sign in with their Managed Apple ID (MAID), they will automatically show up in Classroom and be able to access their classes in Schoolwork. Classroom is also adding features Teachers can launch the same app on the whole class's iPads, or launch different apps for different groups. Teachers can also monitor what is showing on each iPad's screen. If the app is Classwork-enabled, the teacher can launch an app and have the correct activity already open. Teachers can invite students to a class using a four-digit code and use AirPlay to display that code on an Apple TV. Shared iPad All student data should be synced from the cloud and not available on a shared iPad after the student logs out of that iPad. Shared iPad Temporary Session Enables schools to deploy devices with standard configurations which students can use without having sign-in credentials. This allows the use of a Shared iPad in situations where a student's account may be having problems or not yet created. They can use the shared iPad, then sign out and have all the data be cleared from that iPad. For MDMs, there's a option to disable Temporary Sessions. For macOS, Apple is introducing a new Automatic Assessment Configuration Framework . A similar framework called UIKit Assessment has been used on iOS for standardized tests since 2016 and it's being brought over to macOS to take advantage of Mac's more powerful capabilities. The Automatic Assessment Configuration Framework enables tests to be delivered to students without allowing those students to use features of the Mac which may give them unfair advantages while taking tests. The Framework is available in iOS, macOS and also supports Catalyst. Test takers are locked into the testing app and features like the ones below are disabled for the duration of the test: Screen Sharing Universal Clipboard Dictation Learn more about the Automatic Assessment Configuration Framework by watching the "What's New in Assessment" session video. If you decide to incorporate the Automatic Assessment Configuration Framework into an app, you will need to use a new entitlement, so see the the Automatic Assessment Configuration Framework documentation for more details. On iOS, the UIKit Assessment mode has now been deprecated.

Testing pre-release software Public beta - available to all users who sign up at beta dot apple dot com. Geared towards reporting livability and/or general use issues. Updates in this program can be less frequent than other beta seed releases. Public beta seeds released for the following platforms: iOS iPad OS macOS tvOS watchOS (new this year) Developer beta - seeding program geared towards app developers Appleseed for IT beta - seeding program geared towards IT professionals in enterprise and education. AppleSeed for IT testers provide feedback to Apple on how Apple's pre-release tools and frameworks act in the testers' environments. Apple is particularly interested in identifying deployment blockers, as those would prevent deployment of the latest OS when Apple releases. To enroll into AppleSeed for IT: Create a managed Apple ID (MAID) Associate your work email with the MAID, so you can receive communications from AppleSeed. Log into appleseed.apple.com with your MAID. To enable devices to test pre-release software, Apple has made the following tools available: iOS / iPad OS: configuration profile available from appleseed.apple.com macOS: macOS beta access utility Report any issues discovered in testing via the Feedback Assistant app. Collaboration Other Appleseed for IT participants and teammates Field engineering AppleCare With an AppleCare for Enterprise or AppleCare OS support agreement, customers can request testing assistance from an AppleCare account manager or an Apple systems engineer. Filing feedback for your organization: File immediately after the issue occurs with the device it occurs on.This helps ensure the relevant logs are gathered. Gather logs and note the time. Include the steps to reproduce the problem. If possible, include screenshots and/or screen recordings showing the issue. New features in Feedback Assistant Feedback Assistant is available on the following: iOS iPad OS macOS Website Teams for Feedback Assistant: Teams allows members of an organization to work together on feedback with Apple. Teams are configured by Apple Business Manager or Apple School Manager, for AppleSeed for IT and in App Store Connect. Members of the team can: See feedback submitted by others in the team See responses from Apple Participate in the feedback conversation. Reassign feedback to other team members Multi-device diagnostics Initiate feedback from an iPhone or iPad Collect logs from multiple devices All devices must be signed into iCloud. When feedback is submitted, the diagnostics upload from each device directly to Apple. Managing software updates: Control over updating Apple devices Update compatibility with your company, school or institution Consistent deployment across devices Contain critical improvements for stability, performance and security. Organizations should do their best to deploy updates as swiftly as possible. MDM command to update devices to the latest OS version Choose to download only, or download and install. Only updates which are still being signed by Apple are permitted for installation. In order to use MDM to remotely update the OS on the device, supervision is required. For iOS / iPad OS: Passcode will need to be entered before OS update takes place. Deferring software updates: iPad OS, iOS and tvOS MDM restriction available which defers over-the-air software updates Default delay is 30 days Delay can be overridden and specified as being a value between 1 day and 90 days. Once the delay expires, the next update in the deferral window is evaluated. Next update will either be deferred itself or presented immediately for installation. No downgrades or rollbacks Reverting to an older OS involves wiping the device Apple only supports updating devices to newer version of the OS. Apple signs its software for production use and older releases may have their signing revoked to ensure that customers are not susceptible to downgrade attacks. On macOS, automatic checking for updates, download and installation of updates is controlled via the settings in the Software Update preference pane in System Preferences. These settings are manageable via MDM. For macOS, the deferral process is similar to the process used on iOS/iPad OS/tvOS. A profile may be deployed to defer updates up to 90 days. Unique features in macOS: Deferred updates are transparent to the user in System Preferences Once an update is past the deferral window, the user receives a notification and the update will be visible in System Preferences. Deferring software updates does not require being supervised Updates are deferred by date, not version number. This allows the deferral of multiple software updates in succession rather than deferring only one update at a time. Changes to managed software updates Support for deferring software updates during beta seeding in macOS Big Sur 8 Support for deferring major releases was introduced in macOS Catalina 10.15.4 Securing software updates Unification of installation technologies across iOS and macOS Snapshot-based updatesSnapshot of the system volume is taken and the snapshot is updated while the user is using their Mac. - Snapshots are cryptographically sealed using authenticated APFS. This allows verification on boot that the user system matches what was delivered to the Mac by Apple. Cryptographically sealed system volume Remotely driven updates Removals Custom catalog support has been removedThe installation catalog will be managed by AppleNo longer possible to ignore updates indefinitelyIgnore is supported in these releases if the device is supervised - macOS Catalina 10.15.6macOS Mojave 10.14.6 (following installation of the Mojave security updates released along with 10.15.6)

Question: Are there changes to how Secure Token is granted on Intel Macs running Big Sur, as opposed to how Secure Token is granted now on Intel Macs running Catalina? Answer: No change to how Secure Token is granted on Intel Macs on Big Sur, as compared to on Intel Macs running Catalina. Question: Will there be differences in how Secure Token is granted on Macs running Big Sur on Apple Silicon? Answer: No change to how Secure Token is granted on Apple Silicon Macs on Big Sur, as compared to on Intel Macs running Catalina. Question: Will FileVault authenticated restarts work differently on Apple Silicon, as opposed to how they work now on Intel Macs? If yes, what are the differences? Answer: Authenticated restart is now entirely handled by Secure Enclave on Apple Silicon, as opposed to the SMC chip on non-T2 Intel Macs and Secure Enclave / Effaceable Storage on T2 Macs. On Apple Silicon. the authrestart token is one-time and cannot be used multiple times. fdesetup's behavior (including authrestart) should be consistent across both Intel Macs and Apple Silicon. Question: In the Building an Endpoint Security app session, it was mentioned that the Endpoint Security framework is meant to be a replacement for OpenBSM audit trails. Is OpenBSM still present in Big Sur? If not, is there a built-in audit tool which replaces it? Answer: OpenBSM is still in Big Sur, but is now deprecated.