Apple has made some significant changes in macOS Catalina and introduced a couple of new concepts that are sure to become more important in future releases. This blog walks you through macOS 10.15 Catalina – what it means to your business and how Workspace ONE, which is recognized as an industry-leading UEM platform by analysts, helps you make the most of it.
Custom Automated Enrollment
Primary User Account Customization in Setup Assistant
In Workspace ONE UEM, admins can now customize the Primary User Account created in Setup Assistant following an enrollment through ABM. Admins can specify the user’s full name and their organization username, with support for dynamic lookup values, so that the fields are pre-populated correctly. To further streamline the process, the admin can even disable the user’s ability to edit those fields so they can’t break their own access to domain integration services like password syncing, printing, file shares, etc.
System Extensions Profile Settings
macOS Catalina introduces System Extensions and DriverKit to help developers maintain extensions inside their app rather than requiring Kernel Extensions (“kexts”). This makes for easier installation and increases the stability and security of macOS. It’s unlikely apps using System Extensions will be available from day one of Catalina release, but once app developers start adopting them, users will be prompted to allow these new extensions to run. Using the System Extensions profile, admins can create a whitelist of specific accepted system extensions in Workspace ONE UEM that will eliminate these prompts. Also, for greater security, admins can disable the user’s ability to approve additional system extensions.
New macOS Supervision Status
First introduced with iOS 5, Catalina brings support for supervision to the Mac. This is a new status in macOS Catalina when using ABM or Apple School Manager to enroll into Workspace ONE UEM. All devices enrolled through ABM will now be supervised, and all devices previously enrolled through ABM will be converted to supervision. Devices that were not originally enrolled through ABM will need to be re-enrolled to become supervised.
A supervised device provides organizations with additional control over its configuration and restrictions. At this time, there are not yet any available macOS commands requiring supervision, but we will keep you informed as this new status matures over time. In the meantime, admins have a window to make the transition with their managed devices in Workspace ONE.
Single Sign-On (SSO) Extension
This new functionality allows admins to target specific applications from Identity Providers (IDP) to perform SSO functionality. This requires an IDP to create an MDM configurator app that directs them to specified domains for redirect or credential SSO. Understanding that this is a new functionality that requires adoption by the IDP community, Apple has pre-built functionality for the Kerberos extension into macOS 10.15 for those who use Active Directory. Admins can also create generic extensions that are targeted to third-party IDPs.
Associated domains are used by developers to establish a connection between a domain and an app in order to share credentials, to enable features in the app that are dependent on the website (universal links), or for SSO Extension. In Workspace ONE, admins can now associate multiple domains with an app in addition to those that have been defined in the app itself so it’s not necessary to make adjustments to code when new domains are introduced.
Privacy Preferences Profile Control
Catalina has new protected areas within the OS, access to which would typically require a user to accept a system prompt. Workspace ONE UEM gives admins the ability to enable app access to these areas without prompting users. Many users are conditioned to reflexively deny access when prompted, which could effectively shut down apps that may be critical to employee productivity. By expanding admin control over this process, Workspace ONE can help avoid or eliminate those scenarios.
Apple’s Handoff capability allows a user to pass off functionality from one type of Apple device to another. For instance, copying text on an iPhone and pasting it to a document on a Mac. With macOS Catalina, admins now can disable this function to prevent potential data loss.
What Should You Do Next?
All of the functionality described in this blog can be tested today in our UATs. The Workspace ONE UEM 1909 release will have these features available for production usage on macOS 10.15 Catalina.
Take Advantage of Our Resources
• Read our blog titled “WWDC 2019: A Home Run for the Enterprise” to catch up on the changes you’ll see in all of Apple’s Fall 2019 releases.
• Subscribe to the “Getting Ready for Apple Fall Updates 2019” knowledge base article to stay up to date on everything going on with Apple this Fall.
• To learn more about the features you read about here as well as others, view our recorded webinar Getting Ready for Apple Fall 2019 Releases with Workspace ONE. This presentation offers a much more in-depth look into how you can use Workspace ONE in conjunction with these releases to further improve the employee experience.
• For information on the changes Apple made for enterprise in iOS 13, read The Wait for iOS 13 is Over.
• For a deep dive into the User Enrollment functionality released in iOS 13.1, read Apple Pushes for Greater Privacy with User Enrollment.
• Go deeper into what we’re doing with Workspace ONE. Over the next couple of months, we’ll be releasing a series of video blogs that breaks down each major topic. Stay tuned for links as we start with the following:
i. User Enrollment and how it affects BYOD
ii. All about macOS Catalina
iii. DEP custom screens
iv. Deep dive on iOS 13