Employee Experience VMware Workspace ONE

Big Sur, the Apple M1 Chip, and How VMware Makes it All Work for the Enterprise

By Paul Mounkes and Robert Terakedis

One of the biggest announcements back at Apple’s 2020 Worldwide Developer Conference  was Apple Silicon. Apple said that they were beginning to make their own processors for Macs, and that they would gradually transition off of Intel processors. Fast forward a few months, and Apple is now shipping MacBook Air machines with the new M1 chip – the first in what will surely be a long line of Apple processors for Mac devices. 

Apple describes the M1 chip as “An entire system. On a single chip.” And it certainly sounds like a winning workhorse. Utilizing 5-nanometer technology to pack in 16 billion transistors, Apple has created an 8-core architecture with unified memory that allows the onboard DRAM to be “shared across the entire system.” Apple claims that the M1-based MacBook Air is up to 3.5 times faster than the i7 version, and all sorts of publications agree that these new Apple device are living up to the hype.  

These improvements certainly sound impressive, but enterprise customers might be wondering what this means for Mac management and application compatibility. Many organizations just rolled out Mac-as-choice programs in the last few years or were looking at doing it soon. Will the new architecture mean that enterprises have to update their Mac strategy? 

(For today, we do want to make sure that our customers are aware that we have found one issue related to M1 Macs, which we’ll be fixing with Workspace ONE Intelligent Hub 20.11.1.)  

At the same time that these new M1-based Macs are rolling out, Apple and enterprise customers are also going through the annual macOS update cycle. Every version of macOS has included changes to the management process, as macOS gradually transition from traditional management and imaging to a more MDM-centric approach. 

So, with both M1 Macs and the annual macOS update, this is an especially big year, and there’s a lot to unpack. Time to dig in! 

The possibilities from Apple Silicon M1 Macs 

M1-based Macs will be more potent than their predecessors, due in part to those eight cores we mentioned above. Four of the eight cores are “efficiency cores” that handle light chores, and the other four are “high-performance cores” that deal with heavier workloads. This mix of core types translates into a higher-performance chip than its competitors, that also consumes less power. So overall, the M1 architecture is primed to improve productivity judging by the benchmarks and the near-instant wake from sleep. On top of that, the reduced power consumption delivers benefits like longer battery lifecooler operating temperatures, reduced impact on the power grid and negligible ambient noise generated by the device’s fans. 

With the M1 chip driving improvements in Big Sur, developers can now create “Universal Apps,” or apps that run on all of Apple’s platforms, including iOS, iPadOS and macOS. This dual capability could help streamline enterprise app development, allowing code once and deploy anywhere. Users gain access to the apps they need, regardless of the platform at their fingertips. 

Additionally, M1’s neural engine brings machine learning and AI capabilities to macOS native apps (as well as iOS apps running on macOS). We expect this will allow huge improvements to enterprise apps running on macOS, and for our part, we’re also looking at ways to leverage these new device-side capabilities for Workspace ONE.  

M1 Macs and Enterprise Management 

Does the M1 Chip affect device management? Aside from the new MacBook Air, versions of the MacBook Pro 13-inch and the Mac Mini are also available with the M1, but today customers still have options with Intel chips as well. At WWDC, Apple stated they still had Intel-based Macs in development, so we don’t expect the Apple/Intel relationship to end in the near term. However, since the entry level model MacBook Air is a popular choice in many organizations, the fact that Apple is no longer selling the Intel-based version means that customers could be dealing with this fairly soon. 

As mentioned, we did see one issue with Intelligent Hub on M1 Macs, Rosetta 2 may not be installed by default, so we’re updating Intelligent Hub to perform a check during pre-installation. Over time we will be converting our macOS Workspace ONE apps to Universal apps to offer native support for Apple silicon. 

As for the rest of our management stack, we expect current functionality in Workspace ONE to continue working as expected for Big Sur and M1 devices.   

M1 Macs and Horizon 

For VMware Horizon customers, the product management team has tested the Horizon Client on M1 devicesand has verified that it works very well, thanks to Rosetta 2. So, if you have any early adopters in your BYOD fleet and you’re expected to support anything that walks in the door, you should be okay. 

How do macOS Big Sur and Apple Silicon affect VMware Fusion? 

As announced in August 2020, VMware released an update to Fusion that includes support for Big Sur and several other upgrades. Fusion 12 uses kernel extensions on macOS Catalina but supports ‌macOS Big Sur‌ using Apple’s hypervisor and APIs to run its virtual machines and containers. Fusion 12 includes other upgrades like eGPU compatibility, support for running and building container-based apps, Kubernetes clusters and more. Check out our blog post titled “Ready for Testing: Updated Tech Preview with Big Sur Support” for more information. 

The other big question is how M1 chips in host devices will affect guest VMs on Fusion running Windows and any other x86 operating system. Our colleagues over on the Fusion team have said “While we’re not quite ready to announce our timeline, we’re happy to say that we are committed to delivering VMware virtual machines on Apple Silicon! So, stay tuned to the VMware Fusion Blog and Twitter account for the latest. 

And of course, we would be remiss if we didn’t mention that many enterprises already turn to VDI via VMware Horizon to deliver Windows apps to their macOS devices. 

macOS Big Sur management updates 

We ran down the Mac management updates after WWDC this summer (see here and here), but here’s a quick overview of the changes that customers will see as they update their Mac fleets to Big Sur.  

App lifecycle management

Apple announced at WWDC that macOS is gaining proper app lifecycle management. These capabilities allow admins to manage the app removal in addition to the app install. While there are specific requirements to manage macOS apps, it still brings better control to macOS for Mac Administrators (a long-requested feature). From a Workspace ONE perspective, we’re excited to bring features for store-based app lifecycle management and the ability to expand the volume of apps available to help end users be productive anywhere. 

Supervision for User-Approved MDM

Big Sur brings a change for devices enrolled via User-Approved MDM (UAMDM) by classifying them as supervised. We’re excited because supervision provides the underlying permissions for Workspace ONE administrators to manage software updates via MDM. It also enables activation lock bypass, enhanced Mac user management and, of course, the use of supervised restrictions.  

Kernel Extensions Impacted

Kernel Extensions will run with Big Sur, but only after rebooting the device with a select command to rebuild the Kernel Cache. Admins should avoid Kernel Extensions and the less-than-ideal user experience resulting from their usage. Instead, opt for software that uses System Extensions and use the (up-to) 90-day window to test apps using System Extensions to ensure continued compatibility and great user experiences. 

Kerberos SSO Extension

We can now enable the Kerberos SSO extension while users are off-network using per-app tunneling. Per-app tunneling for the SSO extension means that users can be outside the enterprise network, get Kerberos tickets for SSO and manage their Active Directory password. 

How to Test Workspace ONE Features for macOS Big Sur 

As we release feature support for macOS Big Sur, you’ll find them first in our User Acceptance Testing environments, such as CN135, CN137 and CN138. We encourage all of our customers to work with their sales or support account teams to ensure they have access to their UAT environment. We continue to update our “Getting Ready” KB article for more details on supported features. 

To reiterate, there’s one issue we’re working on for M1 Macs, which will be fixed in Workspace ONE Intelligent Hub 20.11.1. Again, over time we will be converting our macOS Workspace ONE apps to Universal apps to offer native support for Apple silicon. 

As we announced at VMworld, we’ve been rolling out a bunch of training and community resources for Mac admins. Just this week, we rolled our new macOS management training course. 

Horizon Client and macOS Big Sur 

The Horizon Client for Mac versions 2006 and 5.5 have been tested with Big Sur, and the product management team has confirmed compatibility here, as well. 

VMware Carbon Black and macOS Big Sur

IT Security Professionals who leverage Carbon Black Cloud for macOS will begin seeing a phased rollout of the Carbon Black 3.5.1 sensor the week of December 14th. The 3.5.1 sensor will support macOS 11 Big Sur on both Intel and M1 Apple devices and will offer support for both KEXT and System Extensions. For M1 devices, the release will use Rosetta 2 as VMware continues to work on building native cross compilation support into a future release. Support for delivering KEXT and System Extensions is already included in Workspace ONE UEM making it the ideal delivery method for Carbon Black.

For more information, refer to the Carbon Black Cloud macOS Big Sur Documentation List.

Final Thoughts 

For another treat, you can listen to VMware’s Naveen Pitchandi and John Richards talking about all of our macOS updates on recent episode of the popular Mac Admins Podcast. 

As you can see, it’s an exciting time for MacBooks in the enterprise, and we can’t wait to help more customers roll out Macs managed with VMware Workspace ONE Unified Endpoint Management.