Todd Fernandez - Senior Manager, Device Management and Server
September 2016 release timeframe for macOS Sierra (based on showing September 2016 in the video when release dates were discussed.)
Reviewing features released in iOS 9.3
Apple School Manager (watch video)
Shared iPad (watch video)
Classroom (watch video)
Education:
Apple deployment programs
Apple School Manager
Apple ID
Enterprise:
Apple deployment programs
DEP (Device Enrollment Program)
VPP
New settings and commands
Apple School Manager
Manages people, devices and content
People
- Student information system integration
- CSV import
Creates managed Apple IDs for each student and teacher.
Admin accounts
- Tiered administration
- Roles and privileges
Student accounts
Required for Shared iPad, can also be used for 1 to 1.
Passcode options
Disabled options
- Commerce, FaceTime, iMessage, iCloud Mail...
Roster Service API
Users:
Students' Apple IDs
Teachers' Apple IDs
Customers will not need to download new tokens for new API.
Handles duplicate records from multiple sources (LDAP + API)
Allow admin to configure automatic policy matching criteria
Allow admin to manually merge records
source_system_identifier corresponds CSV import's "PersonNumber". This may not be unique, be able to handle non-unique import collisions.
There is no delta API, only full enumeration.
- Consider throttling admin-initiated syncs.
DEP:
Find purchases
Configure MDM servers
Set up devices with MDM
Content:
VPP (Volume Purchase Program)
iTunes U
Enrollment optimization: Shared iPad (watch video)
iOS 9.3.2 no longer supports MD5
- DES deprecated
- AES support added
New in macOS Sierra:
DEP allows the skipping of the following in the Setup Assistant:
- Siri
- iCloud preferences
Shared iPad
Multiple users
Requires managed Apple ID to sign in
Sign into iCloud and iTunes
Device-assignment of apps via VPP
MDM vendors use PurchaseMethod1
All app types supported
- App Store developers must allow device assignment
Student data truth is stored in the cloud
- Data is cached locally, but purged as needed
- User data is separated
- Data will continue to upload to the cloud after sign-out, if needed.
If one student signs out with data still waiting to upload and another student signs in:
- Previous student's data continues to upload to the cloud until transfer is completed.
- New student's data downloads and the new student is able to start working right away.
Lock screen grace period:
Time after screen locks that device can be re-opened without re-entering the passcode.
Once that time period expires, passcode will need to be entered.
User channel:
Allow MDM server to configure per-user settings for iOS - Similar to how macOS has always worked.
No user authentication on iOS (watch video, didn't get all details.)
Restrictions payload:
Most restrictive payload wins
Combined to compute effective restrictions
Acts just like using multiple profiles for managing restrictions
Managed Apple ID association
Programmatically associate Managed Apple IDs for VPP
- No need to invite the Managed Apple ID in order to send the app via VPP
iBooks Store VPP books
- Assigned to users
- Cannot be distributed to devices
Shared iPad must "download" in iBooks
Downloaded only once per device
Enterprise Apps
Universal Provisioning Profile - Allows non-App Store apps to be installed
- Apps installed via MDM are explicitly trusted.
- Otherwise, user must explicitly trust apps from that UPP signer to run on this device.
Management:
In iOS 9.3:
Settings command was updated to support setting max users, diagnostic submission:
New commands for iPads:
User list
Logout User
Delete User
Other new commands (apply to all iOS devices.)
MDM Lost Mode (including device location)
MDM Activation Lock
Configuration profile payloads:
Exchange, Mail: Allow Mail Drop
Managed Domains: Safari autofill passwords
VPN: Many new IKEv2 settings
Restrictions: Many new settings
Restrictions:
Apple Music
Classroom Screen View
iCloud Photo Library
iTunes Radio
Modify Notifications
Show/Hide Apps
Configuration profile payloads: Education (watch video)
Configuration profile payloads: Per-user on Shared iPad (watch video)
iOS 9.3.2
MDM commands and queries
Enable / Disable app analytics
Set lock screen grace period
DeviceInformation returns analytics settings
Watch video for info on key for setting lock screen grace period.
What's new in iOS 10:
Contacts, Exchange, Google, LDAP: Communication service rules for audio
Lock Screen Message: Updated key names
VPN: IKEv2 EAP only authentication method
PPTP VPN has been removed from iOS 10 / macOS Sierra
- PPTP payloads will not work
Wi-Fi: Captive Bypass
See video for more details
What's new in OS X 10.11.4:
Install major update (DEP Macs) - can force macOS Sierra upgrades on DEP-enabled Macs.
Configure IP firewall
Restrictions:
Apple Music
iCloud Photo Library
iTunes Radio
Back to My Mac
Find My Mac
Some additional restrictions listed, see video.
See complete list of session and lab notes here: