Question: For current Enterprise Connect users, how can we transition our current setup to use Single Sign On?
Answer: Apple Professional Services will be in touch with Enterprise Connect customers this summer.
Question: Current Enterprise Connect users can use Enterprise Connect to run scripts. Does Single Sign On also have this functionality?
Answer: Yes, but it will work differently and we think it will work better. Instead of Enterprise Connect, launchd will be running the script(s).
Question: How can companies, schools or institutions supervise non-DEP macOS devices? The reason is that DEP is not in every country yet, so it's sometimes impossible to get Macs into DEP even if the company is otherwise using DEP.
Answer: Right now, the answer is that we need to get DEP into those countries that don't have it.
Question: In the Managing Apple Devices session, it was stated that whitelisting and blacklisting of applications and locations would be deprecated, with a reference being made to the Parental Controls mechanism. For system admins who are currently using a configuration profile to accomplish this, what technology replaces this functionality in Catalina?
Answer: It's deprecated, but there's no direct replacement at this time. If you're using an MDM, talk to your MDM vendor to see what that vendor can provide as a replacement.
Question: System Extensions appear to still require user approval to load, like user-approved kernel extension loading (UAKEL). Does the UAMDM kernel extension whitelist also apply to System Extensions? If so, are there changes? If not, what replaces the kernel extension whitelist?
Answer: Great question, we're going to find out and get back to you.
Question: For the new System/Network extensions will vendors have a way to trigger the extension to register at install time?
Example - New antivirus product gets installed, can a postinstall script run to register the system extension to start running without showing the application UI?
Answer: Great question, we're going to find out and get back to you.
Question: When a macOS MDM device upgrades to Catalina, what requirements does the device need to have in order to be considered Supervised? Is User Approved MDM enough to be considered supervised?
Answer: It needs to be enrolled using DEP, being in the DEP pool by itself is not enough. User Approved MDM is not considered supervised.
Question: Does User-approved MDM provide the ability to run MDM commands available only to supervised Macs?
Answer: No.
Question: One of the bootstrap token criteria states: "The Mac must be enrolled in an MDM solution associated with Apple School Manager or Apple Business Manager."
Does this mean that this is for ONLY ABM-based MDM enrollments or does a UAMDM enrolled system whose MDM is also configured in DEP meet this requirement?
Answer: The bootstrap token is generated during the DEP-enabled Setup Assistant setup workflow and that's the only way it works. User Approved MDM does not meet this requirement.
Question: Is it possible to force enable FileVault encryption via MDM on login without user dialogs? If so, what needs to be set?
Answer: No. File a Radar to request this functionality.
Question: ETA on Federated Managed AppleIDs via GSuite login?
Answer: Apple can't comment on future release plans.
Question: Any plans to be able to login to the Mac with a Managed Apple ID?
Answer: Apple can't comment on future release plans.
Question: Will Apple ever offer more in-depth status information on https://www.apple.com/support/systemstatus/ for the Apple Business Manager system?
Answer: Apple is taking this feedback, please file a Radar for specific functionality.
Question: Will Apple add the status of the notarization service to their status board?
Answer: As long as the Developer ID Notary Service status is showing green on https://developer.apple.com/system-status/, the notarization service (including stapling) should be up.
Question: How will companies, schools or institutions block Activation Lock on non-DEP macOS devices? The reason is that DEP is not in every country yet, so it's sometimes impossible to get Macs into DEP even if the company is otherwise using DEP.
Answer: No, this requires supervision which means DEP enrollment. File a Radar to request additional functionality.
Question: Can the AutoSetupAdminAccounts option be used to create a local user which is enabled for MDM management? The desire is to have a local user account pre-configured with a password, but have it be on the “user channel” for MDM.
Answer: No, please file a Radar to request this functionality. That said, it may be possible to customize this workflow; talk to your MDM vendor. If possible, it would leverage the new enrollment customization.
Question: Is there any ability to manage Secure Tokens using UAMDM? (Create accounts with securetoken, enable for FileVault)
Answer: This happens via bootstrap tokens, which requires supervision (i.e. DEP enrollment.) User Approved MDM does not meet this requirement.
There are several command to manually manage bootstrap tokens (all need root privileges to run and require the credentials of a Secure Token-enabled account):
Uploads bootstrap token to MDM server:
profiles install -type bootstraptokenShows whether the bootstrap token has been escrowed on the MDM server:
profiles status -type bootstraptokenMakes sure that the bootstrap token that the MDM has can be used on the client:
profiles validate -type bootstraptoken