User Profile

The Endpoint Security framework is meant to be a replacement for: Kauth API Unsupported Mac kernel framework OpenBSM audit trail Kernel extensions are bad, m'kay? Using the Endpoint Security framework to build ES system extensions is what developers should be doing now. Several types of system extensions are supported: Network - used for VPNs, content filters, etc. DriverKit - Controlling hardware EndpointSecurity - targeted at endpoint detection and response products Benefits of using EndpointSecurity: Protected by System Integrity Protection (SIP) LaunchD job protection Launch before third party applications For EndpointSecurity architecture details, I recommend watching the session video. Runtime requirements: Entitlement: com.apple.developer.endpoint-security.client Docs: https://developer.apple.com/system-extensions System Extensions require an additional requirement for the containing app bundle. For more details, see the documentation linked above. System extensions also require approval from the user to complete installation, unless whitelisted by a system extension whitelist profile from an MDM server. Privacy - in order to increase user privacy, applications must obtain user consent for Full Disk Access, unless Full Disk Access permission is granted by a Privacy Preferences Policy Control profile from an MDM server. Network Events The EndpointSecurity framework does not provide events related to networking operations. This is intentional, as these events are better covered by the NetworkExtension framework. There is a minor exception which is related to Unix domain sockets. The EndpointSecurity framework does provide events for this exception. It is possible to combine the EndpointSecurity and NetworkExtension frameworks into a single unified System Extension. For this use, the system extension APIs and install flow should be used for system extensions which are of a single extension type. macOS Big Sur includes improvements for efficiency and speed over macOS Catalina and Endpoint Security framework Most requested data access points will be added by Apple as appropriate.

Question: Will Apple offer In-App Purchase via VPP / Apple Business Manager? Answer: No, Apple will not be offering that. Question: Will the VPP redownload call time out ( <MDM Client Error 72> ) be fixed for macOS devices running Big Sur? Answer: We're not familiar with this one, can you check back with us again in the next available lab on Friday? Question: Will Apple offer the ability to deploy iOS / iPad OS apps via VPP on macOS Big Sur? Answer: Yes, on Macs running Apple Silicon (assuming the MDM vendor supports it.)

Notes are attached. They ran over the character limit for a forum posting. System architecture of Silicon Macs - https://developer.apple.com/forums/content/attachment/f532edd1-c991-4ee9-a08e-99028d509fec

Security lab: Question: It looks like Apple Silicon will be incorporating Secure Enclave into the new System on a Chip (SOC) architecture. Does Secure Enclave on SOC work like Secure Enclave does today on the separate T2 chip? Answer: Yes, Secure Enclave will work the same. You shouldn't be able to tell the difference. Question: Will FileVault on Apple Silicon work like it does today on an Intel Mac equipped with a T2 chip? In particular, will FileVault be instantly on / instantly off like it is on an Intel Mac equipped with a T2 chips? Answer: No changes, Apple Silicon FileVault will work like it does today with T2 Macs. Question: Will Gatekeeper apply to installer packages downloaded via curl from the command line, where non-signed or notarized packages would be blocked? Or would Big Sur continue to use the same behavior as macOS Catalina, where non-signed or notarized packages are not blocked? Answer: No expected changes with how quarantine works. Curl will not start attaching quarantine metadata. The same behavior we see today on Catalina will apply to Big Sur.

Question: Is Apple adding any restrictions to the Installer process to prevent abuses of preinstall scripts, such as those seen used by Zoom? For context, Zoom's preinstall script would detect if your account had admin privileges and do the following during the installation check phase: A. Install the Zoom app without requesting admin credentials. B. Kill the Installer process. C. Launch the Zoom app Answer: Apple cannot comment on future plans, but they are aware of the problem. At this time, no changes. Question: What is the best practice for signing and notarizing packages you build of third-party applications? For context, some vendors prefer to build their own applications to install their apps, rather than using an installer package. It is possible to package up the installer application, then use a postinstall script associated with the installer package to run the vendor's installer application using command line tools. In this case, the vendor would have signed and notarized their installer application, but I would also like to sign and notarize my installer package so that Gatekeeper is OK with it. Answer: It should be fine to sign and notarize the installer package, the notarization of the third-party application should be fine and there shouldn't be a conflict. Question: Why do payload-free packages need to be notarized? There's no payload. Answer: What's in an installer package is recorded during notarization of that installer package. That's when Apple can say for certain whether they've detected something malicious inside an installer package.

Notes are attached. They ran over the character limit for a forum posting. Leverage enterprise identity & authentication - https://developer.apple.com/forums/content/attachment/b0e4bcb1-83e0-4936-bc27-4d509e03e615

Question: For Automated Device Enrollment customization using identity providers like Azure AD, Ping or Okta, how is the use of multi-factor authentication being supported? For context, when I log into certain services in my shop using Azure AD, I'm requested to then open the Microsoft Authenticator app on my iPhone and do something (like hit an Approve button, enter a displayed code, get a code from SMS, etc.) How does the enrollment customization handle that? Answer: You can host whatever WebUI you want for your modern authentication view. It shouldn't matter because all ADE is providing a web browser-like view to host whatever URL is needed for your modern authentication, then the modern authentication actions all take place within the web UI window. Once the MDM profile is downloaded and installed, the web view is automatically dismissed. Question: Related - Does your MDM also need to be set up for that same identity provider as the one you're using in ADE, or can it be separated? For context, my shop uses SAP Cloud Identity for its identity provider, but our MDM doesn't really support Cloud Identity so it is using Azure AD instead. Does that mean I can't use Cloud Identity for ADE Enrollment customization? Answer: Technically, it can be different but it would make for a complex setup and potentially fragile. Ideally, the MDM server is also going to be handling the ADE authentication with the same modern authentication used for the MDM's authentication. Question: Will we ever be able to manually add macOS devices into DEP similarly to how we can add iOS devices using configurator? Answer: Apple cannot comment on future plans. File Feedback to request this. Question: Any plans to add sign in with Managed Apple IDs from the login window? Answer: Apple cannot comment on future plans. File Feedback to request this. Question: Will macOS ever require internet connectivity to be provisioned so that Macs cannot skip the device enrollment process? Answer: Apple cannot comment on future plans. File Feedback to request this. User approved MDM will provide supervision on macOS Big Sur now, which may address this. Question: Can we bring back an easier way of renewing the enrollment profile through Recovery? For context, we have received numerous Macs directly from Apple where we have had to "renew" the enrollment profile before DEP/ADE would recognize the device was associated with our MDM, as of 10.15, that process to achieve this became quite cumbersome. Answer: As of now, the only viable solution is to wipe and reload the OS. File Feedback to request this. Question: During the keynote and state of the union it was shown that app store iOS apps can be run on Macs with Apple silicon. Would this also apply to in-house/enterprise apps. Can we just copy an .ipa file to a Mac and double click it? Answer: Yes, it should be possible to run any iOS apps, including in-house apps. It should work to just double-click, but test this out and post questions to the Developer Forums to get confirmation.

What's New in Managing Apple Devices Stating with managing and deploying macOS Big Sur Automated Device Enrollment Enrollment customization allows the use of various IdPs for authentication: Azure Active Directory Okta Ping More IdPs will work, but they aren't specified. Information from the authentication pane can be used to populate the user's full name (aka Display Name) and the account shortname. Apple also provides the ability to choose if user channel management should be used (?) Setup Assistant can be customized to show or hide various windows. ADE allows Macs running Big Sur to be automatically supervised during activation. Zero-touch ADE setup has been available for Apple TVs for a while and the capability is now coming to the Mac as well. All setup screens are skipped and the Mac goes directly to the OS's login window. Auto Advance for Mac Requirements: Power Ethernet connection with DHCP MDM solution with Apple Business Manager / Apple School Manager If using encrypted disks (FileVault), you will be required to enter the password to unlock the drive's encryption. Lights Out Management for Mac Pro Remotely startup, shutdown and reboot Mac Pro Requirements: MDM server MDM-enrolled Lights Out Management (LOM) Controller macOS Big Sur LOM Controller and Mac Pro bein controlled must be on the same subnet and IPv6 must be active. For diagrams showing how LOM works, see session video. User-approved MDM On previous versions of macOS, User Approved MDM could not be supervised. This has changed on macOS Big Sur. Any Mac enrolled in a user-approved MDM will now be considered supervised. Supervision for user-approved MDM: Control Activation Lock bypass Bootstrap tokens for FileVault Query, list and delete local users Remove or replace profiles Install restrictions via MDM which are restricted to Supervised status. Schedule software updates Managed Software Update Force software updates Defer major OS updates for 90 days Defer non-OS updates for 90 days Removal of the software update catalog Removal of the Ignore Flag Force software updates = Force Macs to accept software updates and subsequently reboot. Removal of the Ignore Flag is for major updates only. Managed Mac apps Apps can be removed by MDM command and on un-enrollment iOS-style managed app configuration and feedback is now supported on macOS MDM can convert an unmanaged app to a managed app Managed App conversion is not supported for user enrolled devices. Content Caching: Support has been added for hosting Internet Recovery The initial boot image for Internet Recovery isn't included but the full 6 GB recovery image is cached by the caching service. New MDM command for Content Caching: Content Caching Information Tethered caching via profile Security improvements More functionality for bootstrap tokens Bootstrap token: Reserved encryption key provided by your MDM server. It allows your MDM to create admin accounts without needing to authenticate with an admin password. Bootstrap tokens enable user accounts to get a Secure Token, which is necessary to enable an account for FileVault. Bootstrap Tokens: Enable users to get Secure Token Supported on latest Macs with T2 chips Authorize software updates and kernel extensions Profiles Automated installation of profiles can now only be performed by an MDM. The profiles command line tool will no longer be able to install profiles. Downloaded Profiles Brought over from iOS Workflow designed to prevent mistaken or malicious installation User must manually install profiles User has the option of ignoring and not installing the profile Downloaded profile remains visible and available in the Profiles preference pane for eight minutes. When using command line tools to install profiles, the profile will be treated as if it were downloaded and you'll have to complete the install in the Profiles preference pane. Profiles command line tool functions remain the same, with the exception of installing profiles. networksetup command line tool limitations for standard users Previously, both standard and admin users had control over the networksetup command line tool. Now, certain limitations have been put in place for standard users. Limited for standard users: Read network settings Turn WiFi power on and off Change the WiFi access point Admins should use sudo to use networksetup's non-limited capabilities. Automated Device Enrollment use serial numbers to identify Macs. To address identifiable information in serial numbers, Apple is changing its serial number format. Serial number format change: Alphanumeric string of 10-characters Current products will use existing format, while new products may use the new format. macOS Management updates: Configuration Profile Updates: Accessibility Greyscale key deprecated Associated Domains option to allow direct downloads Configure Lights Out Management Downloaded profiles require manual install via the Profiles preferences pane. Single Sign-On extension supports the User channel VPN App Mapping updates VPN Added Maximum Transmission Unit New Restrictions Force Delayed App and Software Updates New MDM Commands Content Caching information Bootstrap Token status Force restart for Software Updates Gather Managed App Feedback and App List Install and Remove Managed Apps LOM Setup Request and Device Request Specify short name for local account Supported LOM Device iOS Enable direct downloads for internal websites WiFi MAC Address access control Managed Open in Shortcuts Encrypted DNS SCEP key size supports 4096 bits Locations for Apps and Books MDM Certificate Pinning Skip Setup Assistant panes List eSIM Identifier Shared iPad for Business Notifications Privacy Multiple printers over AirPrint Allow App Clips restrictions New Restrictions Set Time Zone Per Account VPN Setup Assistant Configuration Shared iPad Temporary Session Scalable cfgutil Apple Configurator now supports Apps and Books Locations, where Locations are different places where devices are kept. Admins can assign different sets of apps and books for each Location. cfgutil is now more scalable and supports more devices. Setup Assistant skip keys have been brought over to iOS from macOS. Skipping setup assistant panes during upgrades is now possible for all supervised mobile devices, not just those enrolled with ABM/ASM.

Question: For current Enterprise Connect users, how can we transition our current setup to use Single Sign On?Answer: Apple Professional Services will be in touch with Enterprise Connect customers this summer.Question: Current Enterprise Connect users can use Enterprise Connect to run scripts. Does Single Sign On also have this functionality?Answer: Yes, but it will work differently and we think it will work better. Instead of Enterprise Connect, launchd will be running the script(s).Question: How can companies, schools or institutions supervise non-DEP macOS devices? The reason is that DEP is not in every country yet, so it's sometimes impossible to get Macs into DEP even if the company is otherwise using DEP.Answer: Right now, the answer is that we need to get DEP into those countries that don't have it.Question: In the Managing Apple Devices session, it was stated that whitelisting and blacklisting of applications and locations would be deprecated, with a reference being made to the Parental Controls mechanism. For system admins who are currently using a configuration profile to accomplish this, what technology replaces this functionality in Catalina?Answer: It's deprecated, but there's no direct replacement at this time. If you're using an MDM, talk to your MDM vendor to see what that vendor can provide as a replacement.Question: System Extensions appear to still require user approval to load, like user-approved kernel extension loading (UAKEL). Does the UAMDM kernel extension whitelist also apply to System Extensions? If so, are there changes? If not, what replaces the kernel extension whitelist?Answer: Great question, we're going to find out and get back to you.Question: For the new System/Network extensions will vendors have a way to trigger the extension to register at install time?Example - New antivirus product gets installed, can a postinstall script run to register the system extension to start running without showing the application UI?Answer: Great question, we're going to find out and get back to you.Question: When a macOS MDM device upgrades to Catalina, what requirements does the device need to have in order to be considered Supervised? Is User Approved MDM enough to be considered supervised?Answer: It needs to be enrolled using DEP, being in the DEP pool by itself is not enough. User Approved MDM is not considered supervised.Question: Does User-approved MDM provide the ability to run MDM commands available only to supervised Macs?Answer: No.Question: One of the bootstrap token criteria states: "The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager."Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?Answer: The bootstrap token is generated during the DEP-enabled Setup Assistant setup workflow and that's the only way it works. User Approved MDM does not meet this requirement.Question: Is it possible to force enable FileVault encryption via MDM on login without user dialogs? If so, what needs to be set?Answer: No. File a Radar to request this functionality.Question: ETA on Federated Managed AppleIDs via GSuite login?Answer: Apple can't comment on future release plans.Question: Any plans to be able to login to the Mac with a Managed Apple ID?Answer: Apple can't comment on future release plans.Question: Will Apple ever offer more in-depth status information on https://www.apple.com/support/systemstatus/ for the Apple Business Manager system?Answer: Apple is taking this feedback, please file a Radar for specific functionality.Question: Will Apple add the status of the notarization service to their status board?Answer: As long as the Developer ID Notary Service status is showing green on https://developer.apple.com/system-status/, the notarization service (including stapling) should be up.Question: How will companies, schools or institutions block Activation Lock on non-DEP macOS devices? The reason is that DEP is not in every country yet, so it's sometimes impossible to get Macs into DEP even if the company is otherwise using DEP.Answer: No, this requires supervision which means DEP enrollment. File a Radar to request additional functionality.Question: Can the AutoSetupAdminAccounts option be used to create a local user which is enabled for MDM management? The desire is to have a local user account pre-configured with a password, but have it be on the “user channel” for MDM.Answer: No, please file a Radar to request this functionality. That said, it may be possible to customize this workflow; talk to your MDM vendor. If possible, it would leverage the new enrollment customization.Question: Is there any ability to manage Secure Tokens using UAMDM? (Create accounts with securetoken, enable for FileVault)Answer: This happens via bootstrap tokens, which requires supervision (i.e. DEP enrollment.) User Approved MDM does not meet this requirement.There are several command to manually manage bootstrap tokens (all need root privileges to run and require the credentials of a Secure Token-enabled account):Uploads bootstrap token to MDM server:profiles install -type bootstraptokenShows whether the bootstrap token has been escrowed on the MDM server:profiles status -type bootstraptokenMakes sure that the bootstrap token that the MDM has can be used on the client:profiles validate -type bootstraptoken

Notes from Advances in macOS Security (Tuesday, June 4th at 9:00 AM): https://forums.developer.apple.com/message/362745Notes from System Extensions and DriverKit (Tuesday, June 4th at 10:00 AM): https://forums.developer.apple.com/message/362746Questions for Security lab (Tuesday, June 4th at 11:00 AM): https://forums.developer.apple.com/message/362750Notes from All about Notarization (Tuesday, June 4th at 3:00 PM): https://forums.developer.apple.com/message/362907Notarization lab questions (Tuesday, June 4th at 4:00 PM): https://forums.developer.apple.com/message/362910Notes from Sign In with Apple (Wednesday, June 5th at 3:00 PM): https://forums.developer.apple.com/message/363182Questions for Device management lab (Tuesday, June 4th at 10:00 AM) Part One: https://forums.developer.apple.com/thread/117417Questions for Device management lab (Tuesday, June 4th at 10:00 AM) Part Two: https://forums.developer.apple.com/message/363283Installer lab questions (Tuesday, June 4th at 2:00 PM): https://forums.developer.apple.com/message/363336macOS 10.15 Activation Lock Tidbit: https://forums.developer.apple.com/message/363374Notes from What's New in Apple File Systems (Wednesday, June 5th at 4:00 PM): https://forums.developer.apple.com/message/363443Health and Fitness Technologies lab notes (Wednesday, June 5th at 4:40 PM): https://forums.developer.apple.com/message/363431Questions for the Filesystems lab (Wednesday, June 5th at 5:00 PM): https://forums.developer.apple.com/message/363444Notes from Advances in Networking Part 1 (Thursday, June 6th at 11:00 AM): https://forums.developer.apple.com/message/363701Questions for Security lab (Thursday, June 6th at 2:00 PM): https://forums.developer.apple.com/message/363638Notes from Advances in Networking Part 2 (Thursday, June 6th at 5:00 PM): https://forums.developer.apple.com/message/363791Notes from Network Extensions for the Modern Mac (Friday, June 7th at 9:00 AM): https://forums.developer.apple.com/message/363912Networking Labs questions (Friday, June 7th at 10:00 AM): https://forums.developer.apple.com/message/363913Notes from What's New in Apple Device Management (Friday, June 7th at 11:00 AM): https://forums.developer.apple.com/message/363935Questions for Device Management lab (Friday, June 7th at 1:00 PM): https://forums.developer.apple.com/message/363874

Same management tools for companies, schools or institutionsBalance security vs. privacy valuesApple's goal is to have Apple devices fit in to corp environments, while standing out because of Apple's device strengths.Custom apps are coming to Apple School Manager (ASM)Federated logins with managed Apple IDs are coming to Apple Business Manager (ABM)ABM and ASM are now supported on iPads.Apple Deployment Programs are being phased out at the end of the year, in favor of ASM / ABM.Automatic enrollment in AppleSeed for IT for ASM / ABM managed Apple IDs.Classroom:Able to now manage student Macs in addition to iPads.Bring existing iOS Restrictions to macOS.- Allow remote screen observation- Allow remote screenshotNew Hide Apps feature, where teacher hits Hide Apps button and students' iPads return to home screen.Platform Parity for tvOSManaged Software UpdatesForce automatic date and timeContent Caching for screen saversUser EnrollmentBYOD - Don't want the admin to manage the entire device.User Enrollment for BYOD- New MDM enrollment option- Better balance for BYOD- Allows personal data to stay private- Allows corporate data to stay secureManaged Apple ID is required for user enrollment- Apps and accounts use correct Apple ID- Unenrolling removes Managed Apple IDIf using Federated logins for ASM/ABM, end user will use their own corp account's username and password to log in. The managed Apple ID will be using those credentials.Corporate data is stored in the Managed Apple ID's iCloud accountPersonal data is stored in the personal Apple ID's iCloud accountData SeparationManaged APFS volume created during user enrollmentUnenrolling destroys the volume and its cryptographic keys used to encrypt it.Managed APFS volume containsApp containersNotesiCloud Drive documentsKeychainMail attachments and full email bodiesCalendar attachmentsUser enrollment - protocolProfile Service ProfilesUDID or other persistence device identifiers- EnrollmentID- EASDeviceIdentifierUnlock Token in TokenUpdateUser enrollment - commandsEraseDevice, ActiveSync RemoteWipe - not supportedManaged results only:- InstalledApplicationList- CertificateList- ProfileList- ProvisioningProfileListInstallApplication- App is always removed on unenroll- Enterprise app supportUser enrollment - payloadsPer-app VPN- MailDomains, ContactsDomains, CalendarDomainsPasscode - 6 digit, non-simpleWiFi - use WPAD for proxyingDefaults and Logging payloads are not supported.User enrollment - RestrictionsManaged Open In, allowLockScreen and forceEncryptedBackup are supportedAny supervised restrictions are not supportedRatings*, allowiCloud restrictions are not supportedUser enrollments are also supported on macOS CatalinaUser enrollment with managed Apple IDManaged APFS volumeCertificate TransparencyApplies to all Apple platformsSecurity enhancementOpt out sensitive certificates or domainsAPNSSupport token-based authenticationDevice Enrollment Settings'Now always- Supervised- MandatoryUse configuration profile restrictionApple Remote DesktopEnable and disable via MDMSets Remote Management to All UsersEnables options:- Observe- Control- Show observeManage SecureTokens- Allow mobile accounts to boot FileVault systemMDM server manages bootstrap tokenUsed to generate SecureToken when user signs inPrivacy PolicyEnable key loggersEnable screen recordingWhitelist non-notarized internal appsFileVaultNow requires user-approved MDM enrollment- Can't pass username/password auth to fdesetup- Changes may break scripts or MDM agentsActivation LockClear Activation Lock via MDMSame endpoint and API as iOSServer APIs coming lateComing later this summerDeprecationsNon-UI profile installationParental Controls Application AccessUser-channel-only enrollmentsDeprecated Unsupervised RestrictionsFor transition period- Remain in effect after upgrade- Not honored after backup and restoreUnlock Token - iOSAvailable only in first successful token update after enrollmentRemember it and don't count on getting one later.Single Sign-OnToo many methods, too many placesWhy Single Sign On?Suite of apps and web sitesImproved user experienceNo passwordsTrust score dataWhat is Single Sign On?iOS and macOSNative apps and SafariMDM managedUI can be native, web or silentSingle Sign On is _not_ Sign In with Apple. Single Sign On is intended for use with corporate identity providers (Okta, Ping, Duo, Azure, etc.)Redirect ExtensionsModern authenticationOpenID Connect, OAuthWhat can the extensions do?Native screen for authenticationMultifactor auth supportedSecure Enclave (SEP) generated keysTrust score dataFederated authenticationWebAuthNNative App - RedirectNative Apps can send operationsBetter fit into the app flowAuthentication library is not neededNative - Redirect ExtensionCredentials:Credential ExtensionsChallenge/response authenticationKerberosCustom challengesHTTP challenge from OSHosts or host suffixes that apply to that extensionOperations are supportedKerberos ExtensionIncluded with macOS Catalina and iOS 13Provides AD password management and local password syncSmart card and certificate-based authentication supportSingle Sign On Summary:Enables Single Sign On for apps and websitesmacOS and iOSTwo types availableWatch the Single Sign On video being released later.Associated DomainsCan managed via MDMNot just for Single Sign OnFederated AuthenticationSupports Azure ADManaged Apple ID coming to ABMUser Enrollment requires managed Apple IDEnrollment customizationProvide custom web UI for enrollmentUse for:- Authentication- Branding- Consent text- Privacy policyContent cachingConfigure for best effort vs. infrastructureTell devices to prefer specific caching serversDocumentationImport new keys and values from codeFormat matches developer documentationHighlight changes in OS releasesDevice Management DocumentationLink: https://developer.apple.com/documentation/devicemanagement

Question: When does Apple expect to implement fast roaming technologies for Wi-Fi (802.11k and 802.11r) into macOS?Answer: The engineers who can answer this are unfortunately not at WWDC. File Radar with details on what you want information on.Question: There are CoreWLAN bugs that cause the OS to report incorrect information on neighboring Wi-Fi networks. What's being done to fix this?Answer: The engineers who can answer this are unfortunately not at WWDC. File Radar with details on what you want information on.Question: Will macOS Catalina and/or iOS 13 have 802.11ax/WiFi 6 support?Answer: No. File Radar for requested functionality.

New APIs available for Network Extension apps- Content Filter- Transparent Proxy- DNS Proxy- VPN- Virtual Machine- Custom ProtocolsContent Filter appExample: Personal firewall appExample: Parental control appSystem ExtensionsPackaged inside your appManaged by the OSEasy to develop and debugRun independently of any userSystem Extensions require user approval to load, like user-approved kernel extension loading (UAKEL).Content FilterNetworkExtension FrameworkTransparent ProxyNetworkExtension FrameworkDNS ProxyNetworkExtension FrameworkVPNNetworkExtension FrameworkincludeAllNetworks - All traffic gets routed via the VPN. If VPN is unreachable, traffic is dropped.excludeLocalNetworks - Allows traffic sent to local network to be excluded from VPN traffic.Per-App VPNMailDomainsCalendarDomainsContactsDomainsVirtual MachineNetworkExtension FrameworkVMs aren't very useful if they can't connect to the network. Apple has the vmnet.framework to handle thisShared Mode enhancements- iPv6 in shared mode- Specify IP range of inside network- Port ForwardingBridged Mode - VM has separate IP, does not use NAT. This has previously not been available for VM hypervisor software which uses Apple's Hypervisor framework: https://developer.apple.com/documentation/hypervisorCustom IP protocolNetworkExtension FrameworkNetwork Kernel Extensions are deprecated in macOS CatalinaMove to using System ExtensionsSummary:New APIs available for Network Extension apps- Content Filter- Transparent Proxy- DNS Proxy- VPN- Virtual Machine- Custom ProtocolsNetwork kernel extensions are deprecated and will stop working in the future.

BonjourBuilding Framing ProtocolsCollecting MetricsBest Practices and Status UpdatesIf you're using URLSession and Network.framework, you'll be able to take advantage of all of Apple's iOS network technologies.BonjourSupported on:Windows 10AndroidChromeLinuxAll Apple platformsWide-Area Service DiscoveryDiscovery proxy allows Bonjour packets to be forwarded.What this means for your appWhen browsing, specify "nil" for domainSpecifying "local" will explicitly prevent non-local discovery.Service Discovery in Network.frameworkNetwork.framework Establishment SupportOptimistic DNSNow enabled by defaultImproves performance for answers with short times-to-liveiPad Apps for MacIn your Xcode settings, when you check the box for Mac:Outgoing network connections are allowed by defaultIncoming network connections are not allowed by defaultPerformance and Privacy Improvements with TLS 1.3One round tripAEAD (authenticated encryption with additional data) with Forward SecrecyCertificates and most handshake fields are encryptedWork on Encrypted SNI underwayUpdate your apps and servers to use TLS 1.3.When testing your apps, use the Network Link Conditioner (under Window: Devices and Simulators in Xcode)Avoid networking pre-flight checks- They have inherent race conditions

Question: Is there a way to mitigate HyperThreading vulnerability via MDM versus only NVRAM arguments passed in Recovery?Answer: No, because if it's available via MDM, it's also available to a potential remote attacker.Question: When a macOS MDM device upgrades to Catalina, what requirements does the device need to have in order to be considered Supervised? Is User Approved MDM enough to be considered supervised?Answer: Ask at the Device Management lab on Friday.Question: Does User-approved MDM provide the ability to run MDM commands available only to supervised Macs?Answer: Ask at the Device Management lab on Friday.Question: One of the bootstrap token criteria states: "The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager."Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?Answer: Ask at the Device Management lab on Friday.Question: What is the "member:UUID" certificate in the login keychain?Answer: Yes, it's an Apple-generated certificate. It is harmless, it can be deleted, but it may be regenerated at a future time. I'm looking further into this and will get back to you with more details later.Note: I went through multiple Apple Security engineers on this question. The first three had no idea and hadn't seen this before, but the ones that checked also saw it on their own Macs. The fourth engineer talked to someone else not at WWDC and gave me the answer below, while the fifth engineer is the one investigating.Question: Is it possible to force enable FileVault encryption via MDM on login without user dialogs? If so, what needs to be set?Answer: Ask at the Device Management lab on Friday.