WWDC 2019: A Home Run for the Enterprise
This year at Apple’s Worldwide Developer Conference (WWDC) keynote CEO Tim Cook presented numerous consumer updates for hardware and software in the Apple ecosystem. We saw Dark Mode come to iOS 13 and the newly announced iPadOS. macOS 10.15 aka Catalina will bring us the end of iTunes in favor of a trio of Music, Podcast, and TV apps in its place. It also brings a new Sidecar capability to allow users iPads to be used as an extended or mirrored desktop with Apple Pencil compatibility for their macOS Catalina device. Lastly, some of the new Accessibility features to control an iPhone, iPad, or Mac with only voice are simply brilliant and could revolutionize how users interact and succeed on Apple’s platforms.
While the consumer features were thrilling and a huge hit with WWDC audience, the most gripping announcements came for the enterprise, especially for their iOS 13 and macOS Catalina releases. Some of the capabilities presented are archetypal shifts in the management of Apple devices while others have been feverishly desired since MDM’s initial release. This blog will be a guide for all things enterprise that Apple has announced and what to expect later this year when the updates are due to release.
In my opinion, the most surprising yet exciting news by a wide margin was the announcement of a new method for enrolling Apple devices called User Enrollment. In this new paradigm, admins can provide resources to “users” rather than devices by specifying a Managed Apple ID for each user during the enrollment process (more to come on Managed Apple IDs later). The device creates a separate managed identity on the device, while still allowing a user to maintain a personal Apple ID simultaneously. Any resource provisioned to the managed Apple ID can now be safely removed by the IT admins. However, this type of enrollment does come with expected limitations that prevent admins from performing invasive actions like device wipe, clear device passcode, or the enforcement of certain restrictions. This is a breath of fresh air for BYOD users and those who are wary of the totality of full device management and allows them to maintain easy access to their personal and workspaces simultaneously.
Managed Apple IDs
Managed Apple IDs are a method for organizations to create Apple IDs on behalf of their users and offer a managed identity on their devices. While Managed Apple IDs have existed in Apple School Manager as a method to provide App Store and iCloud access to students, it has been announced that they will now be making their way to the enterprise in Apple Business Manager. With this announcement comes all the enhancements announced in the Spring of 2019 for Managed Apple IDs in Apple School Manager. The most paramount is the option to create and federate these Managed Apple IDs using a third-party identity provider such as Microsoft Azure Active Directory. This allows organizations to maintain their user accounts in a single source and users to reuse the same account information across multiple locations that require authentication.
Apple Business Manager Custom Enrollment
New Platform: iPadOS
Until now, iPads and iPhones have run the same mobile operating system, iOS, and have been managed in the seemingly identical fashion with only minor details to differentiate them. Coming in the next cluster of updates, however, specific iPad models will upgrade to a new OS called iPadOS 13 while iPhones and iPods will remain on the expected iOS 13. From an enterprise perspective, it does not appear iPadOS will have much effect on the behavior or management capabilities of the platform. More to come in the future perhaps.
Single Sign-On Extension
The Single Sign-On Extension profile allows admins to specify apps and websites for identity providers so they can deliver a seamless login experience. This comes in the form of a profile payload for all Apple platforms in conjunction to the work that needs to be done on the app. This will work for different authentication protocols like OAuth, SAML, or Kerberos and different authentication workflows like redirecting to retrieving token or credential challenges. For supported apps, users authenticate once then gains access to subsequent native apps and websites automatically while still allowing these apps to leverage:
- iCloud Keychain
- Per-app VPN
- Multi-factor authentication
- User notifications
New Profiles & Commands
If all of this was not sufficient to earn the label of “feature packed”, there is still a healthy portion of commands and profiles for all platforms. This following will cover the highlights of each platform, and those interested in the full list are encouraged to review Apple’s WWDC announcements and documentation.
iOS 13 and iPadOS 13
The iOS platform saw improvements for several existing profiles and commands to provide precision controls for Exchange accounts, a reliable set of new restrictions, and an Over-the-Air (OTA) method for configuring an eSIM setting. Here is the detailed list:
- Exchange accounts configured by MDM can now specify which services to enable for the account including Mail, Contacts, Calendar, Notes, and Reminders.
- Certain existing restrictions are transitioning supervision devices only. These include preventing iCloud backup, iTunes access, and usage of FaceTime.
- Prevent the usage of Find My Friends, Find My iPhone, the new QuickPath keyboard, and modification of whether Wi-Fi is on/off (not network choice)
- WPA3 is now a selectable encryption type for Wi-Fi profiles
- Per-app VPN allows domains to be specified for use with Mail, Contacts, and Calendar
- eSIM plans can be refreshed on supported device models
- Queries for certificate, profile, and provisioning profile lists can now target only managed objects for each rather than a full list. This is another great step in user privacy.
macOS Catalina 10.15
The desktop side of the Apple ecosystem saw an even larger expansion in the enterprise. Some updates were changes to system behavior such as the system volume of data becoming read-only and supervision status coming to Macs. Below are the remaining highlights:
- Activation Lock support has been added similar to the implementation on iOS. Admins can allow, enable, and query/clear the bypass code.
- Web Content Filter support was also added in macOS. Like Activation Lock, this has been implemented similar to its iOS equivalent.
- New privacy preferences for suppressing app prompts for access to downloads folder, media library, network volumes, input devices, and more.
- New options for Dock to set the window’s title bar double click settings.
- Additional options for content caching to prevent cache from being deleted or the service from going to sleep.
Lastly, we have the new tvOS 13, which despite having a phenomenal round of updates last year and this year in the consumer space, only received a single update giving the option to prevent Apple TVs from going to sleep.
I truly believe these releases will positively impact MDM providers, businesses, and Apple device users in ways not seen in some time. Follow this blog and other updates from VMware to stay up to date on the latest news, findings, and Workspace ONE enhancement for the iOS 13, macOS Catalina, and tvOS 13 platforms expected to release later this year.