Tech Zone Featured Mobile Technical Guides

WWDC20 – Digging Out What Matters for Enterprise

Over the last few years, I’ve followed WWDC from afar, watching the video replays days after and relying on the crowdsourced community knowledge. This year was completely different, as I was able to be in the mix! Hat tip to Apple on a thoughtfully planned and well-executed virtual event. Yet, amid all the humor about memojis, the “crack marketing team,” and more, Apple gave us a HUGE number of new features for the enterprise. Here are the ones that should garner careful consideration as you plan for macOS11 (Big Sur) and iOS14 within your organizations.

macOS Steals the Show

Where to begin? Apple Silicon? iOS Apps on macOS? I think it’s safe to say that macOS gained a considerable feature set that has been missing for a long time. As you digest all the videos and marketing over the next few weeks, here’s where I think you’ll need to spend some time:

Start Beta Testing Now – Don’t Wait for General Availability!

Introduced in macOS High Sierra, the ignore parameter for the software update command was a popular option that administrators leveraged to prevent user notifications about minor and major upgrades until adequately tested in later builds of macOS Catalina, Apple eliminated the ignore command-line parameter in the software update command that allowed you to ignore updates selectively and indefinitely. Starting with macOS Catalina10.15.4 and later, admins get a 90-day (or less) deferral window for major OS upgrades provided by the enforcedSoftwareUpdateDelay key. Admins should take this opportunity to build testing processes and rationalize application libraries to allow for a going-forward upgrade strategy that permits testing/fixing during the beta testing and up to 90-day general availability window. Don’t forget, Apple also introduced a new key to force delayed app software updates.

As warned during the Catalina release, avoid using Kernel Extensions going forward. With macOS Big Sur, Kernel Extensions will run, but only after rebooting the device and enabling a “less secure” mode. Admins should avoid Kernel Extensions and the less-than-ideal user experience generated by their usage. Instead, opt for software that uses System Extensions and use the (up-to) 90-day windows to test apps using System Extensions to ensure continued compatibility and great user experiences.

Consider Supervision for User-Approved MDM

One pleasantly surprising announcement came in the form of Supervision for macOS. Although Supervision has already existed for macOS, it was previously limited to devices enrolled via Apple Business Manager. Apple is changing this to now grant supervision status to devices enrolled via User-Approved MDM (UAMDM). Supervision brings a wealth of new capabilities to UAMDM devices, including activation lock bypass, enhanced user management, use of supervised restrictions, and managed software updates! Spend some time looking at existing Automated Enrollment management processes to see where you can start including UAMDM devices in your fleet.

Rationalize App Libraries

With the ability to run iOS and iPad apps on macOS, there may now be opportunities to switch out non-Store macOS apps for their iPad equivalents in macOS Big Sur. macOS gains true app management capabilities, allowing admins to manage iPad-native apps (and some mac-native enterprise apps meeting specific requirements) similarly. Admins should be looking at the best way to build the app libraries for their users:

  • Deploying Mac App Store and iPadOS App Store apps (including Custom Apps) to macOS uses the App Store global CDN and macOS Caching Services to deliver the app where users are located (remote or in-office).
  • Opting to deliver a volume-purchased store-based iPadOS app versus a non-store macOS app may eliminate the need for repackaging and allow apps to update from the App Store automatically.
  • As an organization deploys devices with Apple Silicon, iPad apps may allow the consumption of the new Neural Engine and Machine Learning capabilities in the hardware before their mac-native app counterparts.

As a reminder, if you’re deploying enterprise iOS/iPadOS apps to macOS, you won’t be able to leverage TestFlight (see “iPad and iPhone apps on Apple Silicon Macs”) for internal testing. Test pre-release distributions via ad hoc or development distribution.

Explore Auto-Advance for Automated Device Enrollment

Auto-advance has been a feature of tvOS for some time now. It’s incredible to simply give a device power and ethernet connectivity and walk away knowing the device will enroll itself. However, the capability arriving in macOS has some potentially compelling use cases. Auto-advance seems especially suited for dedicated single-purpose hardware.

Some examples include:

  • Devices running as caching servers
  • Devices driving Zoom Rooms or similar conferencing equipment
  • Devices running software for GroundControl or Apple Provisioning Utility
  • New capacity for app build farms (in which case, don’t forget to set up the new Lights Out Management feature)

Note the Updates Specific to Per-App Tunneling

First, I noted Apple mentioned improvements to the built-in Kerberos SSO extension specific to per-app tunneling I spent a great deal of time testing the SSO extension in macOS Catalina with our Per-App Tunnel provided by Unified Access Gateway and VMware Tunnel. With macOS Big Sur, we can now enable the Kerberos SSO extension while users are off-network using per-app tunneling. Per-app tunneling for the SSO extension means that users can be outside the enterprise network and get Kerberos tickets for SSO and manage their Active Directory password.

I also noticed that admins could associate several account-based profile payloads to a VPN connection. As such, the following profiles can now allow managed accounts within the app to be per-app tunnel associated while personal accounts (or unmanaged accounts) will not leverage the per-app tunnel. These profiles include the following:

  • CalDAV
  • CardDAV
  • Exchange ActiveSync
  • Google Account
  • LDAP
  • Mail
  • Subscribed Calendar

Beware Deprecated Removable Media Management Controls

With macOS Big Sur, Apple marked the removable media management controls (such as Eject, Mount, and Unmount) as deprecated. You can expect these controls to stop functioning in macOS releases later than macOS 11. If you’re currently using the Media settings in the restrictions profile payload, it’s time to find an alternate option.

Great New Features for iOS and iPadOS

iOS and iPadOS also got some tremendous enterprise-focused updates. Some of my favorites included the following:

  • Non-removable Managed Apps: Give the user some control back while making sure they don’t remove critical enterprise apps. Non-removable apps should reduce the need to manage home screen layout profiles
  • Calling App Information for SSO: This should help increase SSO security in iOS/iPadOS as we can now ensure app management to consume SSO credentials

macOS Content Caching Gets an Upgrade

If you manage large groups of Apple devices in one or more physical buildings but haven’t deployed macOS content caching, NOW is the time to reconsider that approach! Content caching is confirmed to support the full six-gigabyte recovery image for Internet Recovery. Admins can now wipe and restore macOS locally using Internet Recovery and no longer need to maintain bootable USB devices (or wait for long downloads over slow Internet links). Don’t forget that caching services also help with OS updates for tvOS, iOS, iPadOS, and macOS. For the full list, see “Content Types supported by content caching in macOS.”

Additionally, MDM gains the ability to collect cache statistics. These statistics can be useful in helping you understand if the cache is helping or may need a configuration change (such as adding additional caches or creating a cache hierarchy). If you’re not leveraging caching services in your environment, you’re missing out on an incredible (bandwidth-saving) feature of macOS.

Where to Get More Information

I hope you had a great experience with this year’s WWDC format. No doubt, there is a lot to digest, and unpacking all the updates from Apple is always a team effort. As you embark on your journey, be on the lookout for additional blogs from our Product Marketing group and a Knowledge Base article on preparing for the Apple Fall 2020 release at my.vmware.com.

This year we’re also launching a new sub-space within VMware Communities for Apple-related discussions:

https://communities.vmware.com/community/vmtn/workspace/apple-platform-workspace-one-uem

Looking forward to community interaction over the next few weeks!

Tech Zone