What's New in Managing Apple Devices notes

Expanded DEP now available in 26 countries

Four-hour turnaround for replacement devices



New features of DEP



Enrollment optimization - Keeps the device in Setup Assistant until MDM enrollment completes.

DEP will send a DeviceConfigured command to the device, to let it know it can now exit Setup Assistant

Available for 10.11 / iOS 9





Account creation:

Prevent user account creation

Set passcode policy

Create standard user account

Setup Assistant will also create admin account in the background.

- optionally hidden

Standard user is created by Setup Assistant, (possibly hidden) admin user is available for remote administration.





Additional panes can be removed from Setup Assistant


Touch ID

Apple Pay

Zoom

Android Migration <- new option to remove



MDMServiceConfig


Equivalent to Storebag from iTunes Store

Informs tools what info they can obtain from your server


Three different ways of purchasing apps

App Store

VPP Redemption Codes

VPP Managed Distribution



VPP expanded to 26 countries (matches DEP)


Multinational app assignment


Purchase app in any of the 26 covered countries, can distribute them across other covered countries as long as app is available in that nation's app store. Buy in France, distribute to users in the US and Britain.



Device app assignment


No Apple ID required on the device

No invitation process



For App developers


Support device assignments


- Opt in

- Update recipt checking


Store app data in the cloud


- iCloud

- Your own cloud solution



Change to Caching Server in El Capitan


Preheat cache of iCloud data on local network

Data will be encrypted



iCloud Drive documents

CloudKit data

iCloud Photo Library photos


Translation: Give your Caching Server more storage. MOAR.





MDM Developers: InstallApplication


Installs app if not installed

Updates app if installed managed


What's different?


Migrate user to device assignment without reinstalling or losing user data

Convert unmanaged to managed without reinstalling or losing user data

Install via MDM or Configurator with the App Store set to be disabled



Enterprise in-house apps:


New explicit user trust flow for apps

Prevent users from trusting apps

Apps installed via enterprise's MDM do not require explicit user trust



B2B apps:


Can provide the same metadata for apps that can be provided for App Store-provided apps. Coming later this summer.



For new settings discussed above, take a look in El Capitan's Profile Manager.




New MDM commands and queries (iOS)


Available Software Updates

Update to iOS (DEP devices only)

- Download and stage the update, for later installation



iOS 9:


Profile restrictions


Keyboard shortcuts

Modify device name, passcode, wallpaper

News

Pair with Apple Watch



Network Usage Rules

OS X Server Account

Mail: Mail Drop

SSO: Specify


New MDM commands and queries (OS X)


Available Software Updates

Install Software Updates (DEP Macs only)


Configure ethernet proxy

Login window - disable account migration


Note: Recommend that readers of these notes make time to review the session video, they went through the new MDM commands, restrictions and queries pretty fast.



Tools:


DEP and VPP Simulators


Simulate DEP and VPP services

Test handling of service errors


Available for download on developer portal

New revs this week support the new iOS 9 / El Capitan features



Apple Configurator:


Rewritten; now Apple Configurator 2


New interface puts the connected iOS devices front and center

Discrete tasks

Easy automation - combine tasks into workflows

Multiple stations

Companion to DEP and MDM server


Tasks available from the Actions menu in Configurator 2.


Configurator no longer maintains a database of applications. iOS applications can stored as files on the Mac's filesystem, in iCloud, on network storage, etc, and Configurator can select them as files and use them.


Command line tool for managing Configurator 2, will be covered in an automation session on Thursday.


Apple Configurator 2 beta available now.

Replies

Thanks, Rich!


If you have a chance grab the Betas and accompying release notes. There are some great bits of information in those that will help with planning.

Apple DEP service/hidden admin account - Random GUID. Currently cannot update password/target user. They are working on sending GUID information back to MDM server at creation account time to target later. This isn't a provision profile, but a part of the DEP Setup Assistant activation.


Apple Configurator 2

- Now uses CommerceKit to support Caching Servers. _Should_ support multiple front-facing IP addresses but could not be confirmed with engineering.

- Shared Cache Container

- New identifier - com.apple.configurator.ui

- Blueprints are .plists and can be exported/imported by moving files to ~/Library/Group\ Containers/Group.com.apple.configurator/Library/Application\ Support/com.apple.configurator/Blueprints - EXPECT changes to keys/layout.

- Automator actions currently require administrative rights and installation tool does not work - will be fixed in a future update.


Apple Caching Service

- Can optionally cache iCloud personal / business data (1 or both). Data location is truncated in logs and encrypted on volume. Cacher logs should still work but I need to test.

Thanks, Rich. This is great information. Can't wait to watch the video when it's up.

Off to grab AC2!

One thing I forgot to post.


App Thinning is currently not possible with Apple Configurator 2. You will have to install the entire application on an iOS device. MDM MD will support App Thinning.

I have never seen these before? Are these released, I don't see them anywhere.


DEP and VPP Simulators

Simulate DEP and VPP services

Test handling of service errors

Anyone know where these are I can't find them still?

This is part of the documentation available to iOS Enterprise program subscribers only. It also includes the MDM Protocol Reference document. The DEP and VPP simulator code has been available since before 10.11 and iOS 9 were released but it seems to have gotten an actual mention this time. You'll have to get your employer to cough up the $300 for access.


Pepijn.