2 Replies
      Latest reply on Sep 18, 2019 12:31 PM by GoVanguard
      rtrouton Level 1 Level 1 (0 points)

        Same management tools for companies, schools or institutions

        Balance security vs. privacy values

        Apple's goal is to have Apple devices fit in to corp environments, while standing out because of Apple's device strengths.



        Custom apps are coming to Apple School Manager (ASM)

        Federated logins with managed Apple IDs are coming to Apple Business Manager (ABM)

        ABM and ASM are now supported on iPads.



        Apple Deployment Programs are being phased out at the end of the year, in favor of ASM / ABM.



        Automatic enrollment in AppleSeed for IT for ASM / ABM managed Apple IDs.






        Able to now manage student Macs in addition to iPads.

        Bring existing iOS Restrictions to macOS.

        - Allow remote screen observation

        - Allow remote screenshot



        New Hide Apps feature, where teacher hits Hide Apps button and students' iPads return to home screen.



        Platform Parity for tvOS



        Managed Software Updates

        Force automatic date and time

        Content Caching for screen savers



        User Enrollment



        BYOD - Don't want the admin to manage the entire device.

        User Enrollment for BYOD

        - New MDM enrollment option

        - Better balance for BYOD

        - Allows personal data to stay private

        - Allows corporate data to stay secure





        Managed Apple ID is required for user enrollment

        - Apps and accounts use correct Apple ID

        - Unenrolling removes Managed Apple ID



        If using Federated logins for ASM/ABM, end user will use their own corp account's username and password to log in. The managed Apple ID will be using those credentials.



        Corporate data is stored in the Managed Apple ID's iCloud account

        Personal data is stored in the personal Apple ID's iCloud account



        Data Separation



        Managed APFS volume created during user enrollment

        Unenrolling destroys the volume and its cryptographic keys used to encrypt it.



        Managed APFS volume contains



        App containers


        iCloud Drive documents


        Mail attachments and full email bodies

        Calendar attachments





        User enrollment - protocol



        Profile Service Profiles

        UDID or other persistence device identifiers

        - EnrollmentID

        - EASDeviceIdentifier

        Unlock Token in TokenUpdate



        User enrollment - commands



        EraseDevice, ActiveSync RemoteWipe - not supported

        Managed results only:

        - InstalledApplicationList

        - CertificateList

        - ProfileList

        - ProvisioningProfileList




        - App is always removed on unenroll

        - Enterprise app support



        User enrollment - payloads



        Per-app VPN

        - MailDomains, ContactsDomains, CalendarDomains

        Passcode - 6 digit, non-simple

        WiFi - use WPAD for proxying



        Defaults and Logging payloads are not supported.



        User enrollment - Restrictions



        Managed Open In, allowLockScreen and forceEncryptedBackup are supported



        Any supervised restrictions are not supported

        Ratings*, allowiCloud restrictions are not supported



        User enrollments are also supported on macOS Catalina



        User enrollment with managed Apple ID

        Managed APFS volume





        Certificate Transparency

        Applies to all Apple platforms



        Security enhancement

        Opt out sensitive certificates or domains






        Support token-based authentication



        Device Enrollment Settings'



        Now always

        - Supervised

        - Mandatory



        Use configuration profile restriction





        Apple Remote Desktop



        Enable and disable via MDM

        Sets Remote Management to All Users



        Enables options:

        - Observe

        - Control

        - Show observe



        Manage SecureTokens



        - Allow mobile accounts to boot FileVault system

        MDM server manages bootstrap token

        Used to generate SecureToken when user signs in





        Privacy Policy



        Enable key loggers

        Enable screen recording

        Whitelist non-notarized internal apps






        Now requires user-approved MDM enrollment

        - Can't pass username/password auth to fdesetup

        - Changes may break scripts or MDM agents





        Activation Lock



        Clear Activation Lock via MDM

        Same endpoint and API as iOS

        Server APIs coming late

        Coming later this summer








        Non-UI profile installation

        Parental Controls Application Access

        User-channel-only enrollments





        Deprecated Unsupervised Restrictions



        For transition period

        - Remain in effect after upgrade

        - Not honored after backup and restore





        Unlock Token - iOS



        Available only in first successful token update after enrollment

        Remember it and don't count on getting one later.





        Single Sign-On



        Too many methods, too many places



        Why Single Sign On?



        Suite of apps and web sites

        Improved user experience

        No passwords

        Trust score data



        What is Single Sign On?



        iOS and macOS

        Native apps and Safari

        MDM managed

        UI can be native, web or silent



        Single Sign On is _not_ Sign In with Apple. Single Sign On is intended for use with corporate identity providers (Okta, Ping, Duo, Azure, etc.)



        Redirect Extensions



        Modern authentication

        OpenID Connect, OAuth



        What can the extensions do?



        Native screen for authentication

        Multifactor auth supported

        Secure Enclave (SEP) generated keys

        Trust score data

        Federated authentication




        Native App - Redirect



        Native Apps can send operations

        Better fit into the app flow

        Authentication library is not needed



        Native - Redirect Extension








        Credential Extensions



        Challenge/response authentication


        Custom challenges



        HTTP challenge from OS

        Hosts or host suffixes that apply to that extension

        Operations are supported



        Kerberos Extension



        Included with macOS Catalina and iOS 13

        Provides AD password management and local password sync

        Smart card and certificate-based authentication support



        Single Sign On Summary:



        Enables Single Sign On for apps and websites

        macOS and iOS

        Two types available

        Watch the Single Sign On video being released later.





        Associated Domains



        Can managed via MDM

        Not just for Single Sign On



        Federated Authentication



        Supports Azure AD

        Managed Apple ID coming to ABM

        User Enrollment requires managed Apple ID



        Enrollment customization



        Provide custom web UI for enrollment



        Use for:



        - Authentication

        - Branding

        - Consent text

        - Privacy policy



        Content caching



        Configure for best effort vs. infrastructure

        Tell devices to prefer specific caching servers






        Import new keys and values from code

        Format matches developer documentation

        Highlight changes in OS releases



        Device Management Documentation



        Link: https://developer.apple.com/documentation/devicemanagement