Notes from What's New in Apple Device Management (Friday, June 7th at 11:00 AM)

Same management tools for companies, schools or institutions

Balance security vs. privacy values

Apple's goal is to have Apple devices fit in to corp environments, while standing out because of Apple's device strengths.



Custom apps are coming to Apple School Manager (ASM)

Federated logins with managed Apple IDs are coming to Apple Business Manager (ABM)

ABM and ASM are now supported on iPads.



Apple Deployment Programs are being phased out at the end of the year, in favor of ASM / ABM.



Automatic enrollment in AppleSeed for IT for ASM / ABM managed Apple IDs.



Classroom:



Able to now manage student Macs in addition to iPads.

Bring existing iOS Restrictions to macOS.

- Allow remote screen observation

- Allow remote screenshot



New Hide Apps feature, where teacher hits Hide Apps button and students' iPads return to home screen.



Platform Parity for tvOS



Managed Software Updates

Force automatic date and time

Content Caching for screen savers



User Enrollment



BYOD - Don't want the admin to manage the entire device.

User Enrollment for BYOD

- New MDM enrollment option

- Better balance for BYOD

- Allows personal data to stay private

- Allows corporate data to stay secure





Managed Apple ID is required for user enrollment

- Apps and accounts use correct Apple ID

- Unenrolling removes Managed Apple ID



If using Federated logins for ASM/ABM, end user will use their own corp account's username and password to log in. The managed Apple ID will be using those credentials.



Corporate data is stored in the Managed Apple ID's iCloud account

Personal data is stored in the personal Apple ID's iCloud account



Data Separation



Managed APFS volume created during user enrollment

Unenrolling destroys the volume and its cryptographic keys used to encrypt it.



Managed APFS volume contains



App containers

Notes

iCloud Drive documents

Keychain

Mail attachments and full email bodies

Calendar attachments





User enrollment - protocol



Profile Service Profiles

UDID or other persistence device identifiers

- EnrollmentID

- EASDeviceIdentifier

Unlock Token in TokenUpdate



User enrollment - commands



EraseDevice, ActiveSync RemoteWipe - not supported

Managed results only:

- InstalledApplicationList

- CertificateList

- ProfileList

- ProvisioningProfileList



InstallApplication

- App is always removed on unenroll

- Enterprise app support



User enrollment - payloads



Per-app VPN

- MailDomains, ContactsDomains, CalendarDomains

Passcode - 6 digit, non-simple

WiFi - use WPAD for proxying



Defaults and Logging payloads are not supported.



User enrollment - Restrictions



Managed Open In, allowLockScreen and forceEncryptedBackup are supported



Any supervised restrictions are not supported

Ratings*, allowiCloud restrictions are not supported



User enrollments are also supported on macOS Catalina



User enrollment with managed Apple ID

Managed APFS volume





Certificate Transparency

Applies to all Apple platforms



Security enhancement

Opt out sensitive certificates or domains



APNS



Support token-based authentication



Device Enrollment Settings'



Now always

- Supervised

- Mandatory



Use configuration profile restriction





Apple Remote Desktop



Enable and disable via MDM

Sets Remote Management to All Users



Enables options:

- Observe

- Control

- Show observe



Manage SecureTokens



- Allow mobile accounts to boot FileVault system

MDM server manages bootstrap token

Used to generate SecureToken when user signs in





Privacy Policy



Enable key loggers

Enable screen recording

Whitelist non-notarized internal apps



FileVault



Now requires user-approved MDM enrollment

- Can't pass username/password auth to fdesetup

- Changes may break scripts or MDM agents





Activation Lock



Clear Activation Lock via MDM

Same endpoint and API as iOS

Server APIs coming late

Coming later this summer





Deprecations



Non-UI profile installation

Parental Controls Application Access

User-channel-only enrollments





Deprecated Unsupervised Restrictions



For transition period

- Remain in effect after upgrade

- Not honored after backup and restore





Unlock Token - iOS



Available only in first successful token update after enrollment

Remember it and don't count on getting one later.





Single Sign-On



Too many methods, too many places



Why Single Sign On?



Suite of apps and web sites

Improved user experience

No passwords

Trust score data



What is Single Sign On?



iOS and macOS

Native apps and Safari

MDM managed

UI can be native, web or silent



Single Sign On is _not_ Sign In with Apple. Single Sign On is intended for use with corporate identity providers (Okta, Ping, Duo, Azure, etc.)



Redirect Extensions



Modern authentication

OpenID Connect, OAuth



What can the extensions do?



Native screen for authentication

Multifactor auth supported

Secure Enclave (SEP) generated keys

Trust score data

Federated authentication

WebAuthN



Native App - Redirect



Native Apps can send operations

Better fit into the app flow

Authentication library is not needed



Native - Redirect Extension





Credentials:



Credential Extensions



Challenge/response authentication

Kerberos

Custom challenges



HTTP challenge from OS

Hosts or host suffixes that apply to that extension

Operations are supported



Kerberos Extension



Included with macOS Catalina and iOS 13

Provides AD password management and local password sync

Smart card and certificate-based authentication support



Single Sign On Summary:



Enables Single Sign On for apps and websites

macOS and iOS

Two types available

Watch the Single Sign On video being released later.





Associated Domains



Can managed via MDM

Not just for Single Sign On



Federated Authentication



Supports Azure AD

Managed Apple ID coming to ABM

User Enrollment requires managed Apple ID



Enrollment customization



Provide custom web UI for enrollment



Use for:



- Authentication

- Branding

- Consent text

- Privacy policy



Content caching



Configure for best effort vs. infrastructure

Tell devices to prefer specific caching servers



Documentation



Import new keys and values from code

Format matches developer documentation

Highlight changes in OS releases



Device Management Documentation



Link: https://developer.apple.com/documentation/devicemanagement

Replies

Hi, Do we have any documentation on “Support for token based APNS” . I could not find any documentation on how MDM vendors can utilize this .

Any idea when Federated Authentication/Login > Managed AppleIDs is going to be rolled out to ABM? We've only seen the ability in ASM so far.