2 Replies
      Latest reply on Sep 18, 2019 12:31 PM by GoVanguard
      rtrouton Level 1 Level 1 (0 points)

        Same management tools for companies, schools or institutions

        Balance security vs. privacy values

        Apple's goal is to have Apple devices fit in to corp environments, while standing out because of Apple's device strengths.

         

         

        Custom apps are coming to Apple School Manager (ASM)

        Federated logins with managed Apple IDs are coming to Apple Business Manager (ABM)

        ABM and ASM are now supported on iPads.

         

         

        Apple Deployment Programs are being phased out at the end of the year, in favor of ASM / ABM.

         

         

        Automatic enrollment in AppleSeed for IT for ASM / ABM managed Apple IDs.

         

         

        Classroom:

         

         

        Able to now manage student Macs in addition to iPads.

        Bring existing iOS Restrictions to macOS.

        - Allow remote screen observation

        - Allow remote screenshot

         

         

        New Hide Apps feature, where teacher hits Hide Apps button and students' iPads return to home screen.

         

         

        Platform Parity for tvOS

         

         

        Managed Software Updates

        Force automatic date and time

        Content Caching for screen savers

         

         

        User Enrollment

         

         

        BYOD - Don't want the admin to manage the entire device.

        User Enrollment for BYOD

        - New MDM enrollment option

        - Better balance for BYOD

        - Allows personal data to stay private

        - Allows corporate data to stay secure

         

         

         

         

        Managed Apple ID is required for user enrollment

        - Apps and accounts use correct Apple ID

        - Unenrolling removes Managed Apple ID

         

         

        If using Federated logins for ASM/ABM, end user will use their own corp account's username and password to log in. The managed Apple ID will be using those credentials.

         

         

        Corporate data is stored in the Managed Apple ID's iCloud account

        Personal data is stored in the personal Apple ID's iCloud account

         

         

        Data Separation

         

         

        Managed APFS volume created during user enrollment

        Unenrolling destroys the volume and its cryptographic keys used to encrypt it.

         

         

        Managed APFS volume contains

         

         

        App containers

        Notes

        iCloud Drive documents

        Keychain

        Mail attachments and full email bodies

        Calendar attachments

         

         

         

         

        User enrollment - protocol

         

         

        Profile Service Profiles

        UDID or other persistence device identifiers

        - EnrollmentID

        - EASDeviceIdentifier

        Unlock Token in TokenUpdate

         

         

        User enrollment - commands

         

         

        EraseDevice, ActiveSync RemoteWipe - not supported

        Managed results only:

        - InstalledApplicationList

        - CertificateList

        - ProfileList

        - ProvisioningProfileList

         

         

        InstallApplication

        - App is always removed on unenroll

        - Enterprise app support

         

         

        User enrollment - payloads

         

         

        Per-app VPN

        - MailDomains, ContactsDomains, CalendarDomains

        Passcode - 6 digit, non-simple

        WiFi - use WPAD for proxying

         

         

        Defaults and Logging payloads are not supported.

         

         

        User enrollment - Restrictions

         

         

        Managed Open In, allowLockScreen and forceEncryptedBackup are supported

         

         

        Any supervised restrictions are not supported

        Ratings*, allowiCloud restrictions are not supported

         

         

        User enrollments are also supported on macOS Catalina

         

         

        User enrollment with managed Apple ID

        Managed APFS volume

         

         

         

         

        Certificate Transparency

        Applies to all Apple platforms

         

         

        Security enhancement

        Opt out sensitive certificates or domains

         

         

        APNS

         

         

        Support token-based authentication

         

         

        Device Enrollment Settings'

         

         

        Now always

        - Supervised

        - Mandatory

         

         

        Use configuration profile restriction

         

         

         

         

        Apple Remote Desktop

         

         

        Enable and disable via MDM

        Sets Remote Management to All Users

         

         

        Enables options:

        - Observe

        - Control

        - Show observe

         

         

        Manage SecureTokens

         

         

        - Allow mobile accounts to boot FileVault system

        MDM server manages bootstrap token

        Used to generate SecureToken when user signs in

         

         

         

         

        Privacy Policy

         

         

        Enable key loggers

        Enable screen recording

        Whitelist non-notarized internal apps

         

         

        FileVault

         

         

        Now requires user-approved MDM enrollment

        - Can't pass username/password auth to fdesetup

        - Changes may break scripts or MDM agents

         

         

         

         

        Activation Lock

         

         

        Clear Activation Lock via MDM

        Same endpoint and API as iOS

        Server APIs coming late

        Coming later this summer

         

         

         

         

        Deprecations

         

         

        Non-UI profile installation

        Parental Controls Application Access

        User-channel-only enrollments

         

         

         

         

        Deprecated Unsupervised Restrictions

         

         

        For transition period

        - Remain in effect after upgrade

        - Not honored after backup and restore

         

         

         

         

        Unlock Token - iOS

         

         

        Available only in first successful token update after enrollment

        Remember it and don't count on getting one later.

         

         

         

         

        Single Sign-On

         

         

        Too many methods, too many places

         

         

        Why Single Sign On?

         

         

        Suite of apps and web sites

        Improved user experience

        No passwords

        Trust score data

         

         

        What is Single Sign On?

         

         

        iOS and macOS

        Native apps and Safari

        MDM managed

        UI can be native, web or silent

         

         

        Single Sign On is _not_ Sign In with Apple. Single Sign On is intended for use with corporate identity providers (Okta, Ping, Duo, Azure, etc.)

         

         

        Redirect Extensions

         

         

        Modern authentication

        OpenID Connect, OAuth

         

         

        What can the extensions do?

         

         

        Native screen for authentication

        Multifactor auth supported

        Secure Enclave (SEP) generated keys

        Trust score data

        Federated authentication

        WebAuthN

         

         

        Native App - Redirect

         

         

        Native Apps can send operations

        Better fit into the app flow

        Authentication library is not needed

         

         

        Native - Redirect Extension

         

         

         

         

        Credentials:

         

         

        Credential Extensions

         

         

        Challenge/response authentication

        Kerberos

        Custom challenges

         

         

        HTTP challenge from OS

        Hosts or host suffixes that apply to that extension

        Operations are supported

         

         

        Kerberos Extension

         

         

        Included with macOS Catalina and iOS 13

        Provides AD password management and local password sync

        Smart card and certificate-based authentication support

         

         

        Single Sign On Summary:

         

         

        Enables Single Sign On for apps and websites

        macOS and iOS

        Two types available

        Watch the Single Sign On video being released later.

         

         

         

         

        Associated Domains

         

         

        Can managed via MDM

        Not just for Single Sign On

         

         

        Federated Authentication

         

         

        Supports Azure AD

        Managed Apple ID coming to ABM

        User Enrollment requires managed Apple ID

         

         

        Enrollment customization

         

         

        Provide custom web UI for enrollment

         

         

        Use for:

         

         

        - Authentication

        - Branding

        - Consent text

        - Privacy policy

         

         

        Content caching

         

         

        Configure for best effort vs. infrastructure

        Tell devices to prefer specific caching servers

         

         

        Documentation

         

         

        Import new keys and values from code

        Format matches developer documentation

        Highlight changes in OS releases

         

         

        Device Management Documentation

         

         

        Link: https://developer.apple.com/documentation/devicemanagement