Same management tools for companies, schools or institutions
Balance security vs. privacy values
Apple's goal is to have Apple devices fit in to corp environments, while standing out because of Apple's device strengths.
Custom apps are coming to Apple School Manager (ASM)
Federated logins with managed Apple IDs are coming to Apple Business Manager (ABM)
ABM and ASM are now supported on iPads.
Apple Deployment Programs are being phased out at the end of the year, in favor of ASM / ABM.
Automatic enrollment in AppleSeed for IT for ASM / ABM managed Apple IDs.
Classroom:
Able to now manage student Macs in addition to iPads.
Bring existing iOS Restrictions to macOS.
- Allow remote screen observation
- Allow remote screenshot
New Hide Apps feature, where teacher hits Hide Apps button and students' iPads return to home screen.
Platform Parity for tvOS
Managed Software Updates
Force automatic date and time
Content Caching for screen savers
User Enrollment
BYOD - Don't want the admin to manage the entire device.
User Enrollment for BYOD
- New MDM enrollment option
- Better balance for BYOD
- Allows personal data to stay private
- Allows corporate data to stay secure
Managed Apple ID is required for user enrollment
- Apps and accounts use correct Apple ID
- Unenrolling removes Managed Apple ID
If using Federated logins for ASM/ABM, end user will use their own corp account's username and password to log in. The managed Apple ID will be using those credentials.
Corporate data is stored in the Managed Apple ID's iCloud account
Personal data is stored in the personal Apple ID's iCloud account
Data Separation
Managed APFS volume created during user enrollment
Unenrolling destroys the volume and its cryptographic keys used to encrypt it.
Managed APFS volume contains
App containers
Notes
iCloud Drive documents
Keychain
Mail attachments and full email bodies
Calendar attachments
User enrollment - protocol
Profile Service Profiles
UDID or other persistence device identifiers
- EnrollmentID
- EASDeviceIdentifier
Unlock Token in TokenUpdate
User enrollment - commands
EraseDevice, ActiveSync RemoteWipe - not supported
Managed results only:
- InstalledApplicationList
- CertificateList
- ProfileList
- ProvisioningProfileList
InstallApplication
- App is always removed on unenroll
- Enterprise app support
User enrollment - payloads
Per-app VPN
- MailDomains, ContactsDomains, CalendarDomains
Passcode - 6 digit, non-simple
WiFi - use WPAD for proxying
Defaults and Logging payloads are not supported.
User enrollment - Restrictions
Managed Open In, allowLockScreen and forceEncryptedBackup are supported
Any supervised restrictions are not supported
Ratings*, allowiCloud restrictions are not supported
User enrollments are also supported on macOS Catalina
User enrollment with managed Apple ID
Managed APFS volume
Certificate Transparency
Applies to all Apple platforms
Security enhancement
Opt out sensitive certificates or domains
APNS
Support token-based authentication
Device Enrollment Settings'
Now always
- Supervised
- Mandatory
Use configuration profile restriction
Apple Remote Desktop
Enable and disable via MDM
Sets Remote Management to All Users
Enables options:
- Observe
- Control
- Show observe
Manage SecureTokens
- Allow mobile accounts to boot FileVault system
MDM server manages bootstrap token
Used to generate SecureToken when user signs in
Privacy Policy
Enable key loggers
Enable screen recording
Whitelist non-notarized internal apps
FileVault
Now requires user-approved MDM enrollment
- Can't pass username/password auth to fdesetup
- Changes may break scripts or MDM agents
Activation Lock
Clear Activation Lock via MDM
Same endpoint and API as iOS
Server APIs coming late
Coming later this summer
Deprecations
Non-UI profile installation
Parental Controls Application Access
User-channel-only enrollments
Deprecated Unsupervised Restrictions
For transition period
- Remain in effect after upgrade
- Not honored after backup and restore
Unlock Token - iOS
Available only in first successful token update after enrollment
Remember it and don't count on getting one later.
Single Sign-On
Too many methods, too many places
Why Single Sign On?
Suite of apps and web sites
Improved user experience
No passwords
Trust score data
What is Single Sign On?
iOS and macOS
Native apps and Safari
MDM managed
UI can be native, web or silent
Single Sign On is _not_ Sign In with Apple. Single Sign On is intended for use with corporate identity providers (Okta, Ping, Duo, Azure, etc.)
Redirect Extensions
Modern authentication
OpenID Connect, OAuth
What can the extensions do?
Native screen for authentication
Multifactor auth supported
Secure Enclave (SEP) generated keys
Trust score data
Federated authentication
WebAuthN
Native App - Redirect
Native Apps can send operations
Better fit into the app flow
Authentication library is not needed
Native - Redirect Extension
Credentials:
Credential Extensions
Challenge/response authentication
Kerberos
Custom challenges
HTTP challenge from OS
Hosts or host suffixes that apply to that extension
Operations are supported
Kerberos Extension
Included with macOS Catalina and iOS 13
Provides AD password management and local password sync
Smart card and certificate-based authentication support
Single Sign On Summary:
Enables Single Sign On for apps and websites
macOS and iOS
Two types available
Watch the Single Sign On video being released later.
Associated Domains
Can managed via MDM
Not just for Single Sign On
Federated Authentication
Supports Azure AD
Managed Apple ID coming to ABM
User Enrollment requires managed Apple ID
Enrollment customization
Provide custom web UI for enrollment
Use for:
- Authentication
- Branding
- Consent text
- Privacy policy
Content caching
Configure for best effort vs. infrastructure
Tell devices to prefer specific caching servers
Documentation
Import new keys and values from code
Format matches developer documentation
Highlight changes in OS releases
Device Management Documentation
Link: https://developer.apple.com/documentation/devicemanagement