1 Reply
      Latest reply on Aug 9, 2016 11:10 AM by mlbell4
      rtrouton Level 1 Level 1 (0 points)

        Todd Fernandez - Senior Manager, Device Management and Server



        September 2016 release timeframe for macOS Sierra (based on showing September 2016 in the video when release dates were discussed.)



        Reviewing features released in iOS 9.3



        Apple School Manager (watch video)

        Shared iPad (watch video)

        Classroom (watch video)





        Apple deployment programs

        Apple School Manager

        Apple ID





        Apple deployment programs

        DEP (Device Enrollment Program)


        New settings and commands





        Apple School Manager


        Manages people, devices and content



        • Student information system integration
        • CSV import



        Creates managed Apple IDs for each student and teacher.


        Admin accounts

        • Tiered administration
        • Roles and privileges


        Student accounts



        Required for Shared iPad, can also be used for 1 to 1.

        Passcode options

        Disabled options

        - Commerce, FaceTime, iMessage, iCloud Mail...



        Roster Service API




        Students' Apple IDs

        Teachers' Apple IDs



        Customers will not need to download new tokens for new API.


        Handles duplicate records from multiple sources (LDAP + API)


        Allow admin to configure automatic policy matching criteria

        Allow admin to manually merge records



        source_system_identifier corresponds CSV import's "PersonNumber". This may not be unique, be able to handle non-unique import collisions.



        There is no delta API, only full enumeration.

        - Consider throttling admin-initiated syncs.





        Find purchases

        Configure MDM servers

        Set up devices with MDM





        VPP (Volume Purchase Program)

        iTunes U



        Enrollment optimization: Shared iPad (watch video)





        iOS 9.3.2 no longer supports MD5

        • DES deprecated
        • AES support added





        New in macOS Sierra:



        DEP allows the skipping of the following in the Setup Assistant:


        • Siri
        • iCloud preferences



        Shared iPad



        Multiple users



        Requires managed Apple ID to sign in

        Sign into iCloud and iTunes



        Device-assignment of apps via VPP

        MDM vendors use PurchaseMethod1



        All app types supported

        - App Store developers must allow device assignment



        Student data truth is stored in the cloud

        • Data is cached locally, but purged as needed
        • User data is separated
        • Data will continue to upload to the cloud after sign-out, if needed.



        If one student signs out with data still waiting to upload and another student signs in:


        • Previous student's data continues to upload to the cloud until transfer is completed.
        • New student's data downloads and the new student is able to start working right away.





        Lock screen grace period:


        Time after screen locks that device can be re-opened without re-entering the passcode.

        Once that time period expires, passcode will need to be entered.



        User channel:


        Allow MDM server to configure per-user settings for iOS - Similar to how macOS has always worked.



        No user authentication on iOS (watch video, didn't get all details.)



        Restrictions payload:


        Most restrictive payload wins

        Combined to compute effective restrictions

        Acts just like using multiple profiles for managing restrictions



        Managed Apple ID association



        Programmatically associate Managed Apple IDs for VPP

        - No need to invite the Managed Apple ID in order to send the app via VPP



        iBooks Store VPP books



        - Assigned to users

        - Cannot be distributed to devices

        Shared iPad must "download" in iBooks

        Downloaded only once per device





        Enterprise Apps



        Universal Provisioning Profile - Allows non-App Store apps to be installed


        • Apps installed via MDM are explicitly trusted.
        • Otherwise, user must explicitly trust apps from that UPP signer to run on this device.








        In iOS 9.3:



        Settings command was updated to support setting max users, diagnostic submission:



        New commands for iPads:


        User list

        Logout User

        Delete User



        Other new commands (apply to all iOS devices.)


        MDM Lost Mode (including device location)

        MDM Activation Lock





        Configuration profile payloads:


        Exchange, Mail: Allow Mail Drop

        Managed Domains: Safari autofill passwords

        VPN: Many new IKEv2 settings

        Restrictions: Many new settings






        Apple Music

        Classroom Screen View

        iCloud Photo Library

        iTunes Radio

        Modify Notifications

        Show/Hide Apps



        Configuration profile payloads: Education (watch video)

        Configuration profile payloads: Per-user on Shared iPad (watch video)



        iOS 9.3.2



        MDM commands and queries



        Enable / Disable app analytics

        Set lock screen grace period



        DeviceInformation returns analytics settings

        Watch video for info on key for setting lock screen grace period.





        What's new in iOS 10:



        Contacts, Exchange, Google, LDAP: Communication service rules for audio

        Lock Screen Message: Updated key names

        VPN: IKEv2 EAP only authentication method



        PPTP VPN has been removed from iOS 10 / macOS Sierra

        - PPTP payloads will not work



        Wi-Fi: Captive Bypass



        See video for more details



        What's new in OS X 10.11.4:


        Install major update (DEP Macs) - can force macOS Sierra upgrades on DEP-enabled Macs.

        Configure IP firewall





        Apple Music

        iCloud Photo Library

        iTunes Radio

        Back to My Mac

        Find My Mac



        Some additional restrictions listed, see video.


        See complete list of session and lab notes here: