Apple launched macOS Monterey on Monday, October 25, and with it, they’ve delivered an array of new capabilities and changes, much like they did with iOS 15. As we work to support this new release, we want to make you aware of the capabilities and provide you with some tools you can use to take advantage of these advances in the near-term.
OS Management
Once a device has been updated to Monterey, admins can add the option to set the maximum number of user deferrals. This allows users to delay applying future OS upgrades until a convenient time. However, once a user exhausts the configured number of deferrals, the system forces the install and restarts the device.
Monterey also brings new features related to OS updates for devices running Apple Silicon. The most noticeable is support for use of the bootstrap token in MDM-initiated install-later update flows. This means admins can schedule an update for a later time when the device is not in use. This functionality will be most useful for admins managing large numbers of shared use or non-mobile devices, such as computer labs or editing workstations, where you’ll need to perform the update and restart during off-hours. End users will appreciate not having to perform the restart during their work hours.
Device Management
While Apple added the RestartDevice command pre-Monterey, they’ve added a new parameter to notify the user of the pending restart. Previously, the RestartDevice command immediately restarted macOS with no notification to the user. This behavior made an admin-initiated restart highly disruptive and unexpected to end users and was most problematic for organizations managing Kernel Extensions. With the new NotifyUser parameter, admins can notify the end user of a required restart and allow them to restart gracefully.
Additionally, macOS Monterey brings a new capability that comes with a corresponding restriction. Monterey is the first version of macOS supporting the “Erase All Content and Settings” feature (similar to behavior in iOS). This new option allows admins and end users to wipe user data from a Mac, essentially returning it to the first-boot experience. While previously you could wipe a Mac, the process rendered the device unbootable and required admins to re-install macOS. Instead, you now have the option to preserve the OS, which is the default behavior if you initiate a Device Wipe on Apple Silicon Macs or Macs with the T2 chip. Admins can also restrict users from wiping devices with this new restriction.
Security-related
MacOS Monterey builds on top of the features in Big Sur with a new feature called Removable System Extensions. This new feature allows apps to remove their own system extensions during uninstall without the need for an administrator password. This feature should make maintenance and updates for software with system extensions much easier. Also, Monterey deactivates system extensions when the payload that allows the extension is removed from the device.
Also new with Monterey is iCloud Private Relay. This feature hides your DNS queries and IP address from servers and websites that attempt to track you. While this feature helps protect a user’s privacy, it may not be desirable in an enterprise setting. If this is the case with your organization, Monterey supports a new restriction allowing you to disable iCloud Private Relay on supervised devices.
Tools
The following XML snippets for items related to the fall releases of Big Sur and Monterey were originally provided in our KB article on VMware Docs. We are reprinting them here for your convenience and the corresponding XML can be found on our EUC-Samples GitHub repository.
Profiles
| Payload | Key | Description |
| Restriction | Enforce a major macOS software update delay | Defer major macOS updates, such as macOS 12 for a period of time. |
| Restriction | Enforce a minor macOS software update delay | Defer minor macOS updates, such as macOS 11.5 for a period of time. |
| Restriction | Enforce a non-macOS software update delay | Defer a non-macOS software update delay, such as a supplemental update to be installed. |
| Restriction | Allow erase all content and settings | Prevent users from using Erase All Content and Settings on their Mac. |
| Setup Assistant | Skip unlock with Apple Watch | This skips the screen related to unlocking the device with the Apple Watch. |
| Kernel Extensions | Allow non admin user approvals | Allow users who aren’t local administrators to approve kernel extensions. |
Commands
| Module | Command | Description |
| Restart | Notify user | If true, notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at login window with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. This value is available in macOS 11.3 and later. |
| Restart | Rebuild Kernel cache | If true, the system rebuilds the kernel cache during a device restart. This value is available in macOS 11 and later. |
| Recovery Lock | Set Recovery Lock | Set the recoveryOS password. Available in macOS 12.0 and later. |
| Recovery Lock | Verify Recovery Lock | Verify whether a recoveryOS password has been set. Available in macOS 12.0 and later. |
| Device Information | Is Apple Silicon | Query whether the device is a Mac with Apple silicon. Available in macOS 12.0 and later |
| Device Information | Can install iOS apps | Install iPhone and iPad apps on a Mac with Apple Silicon from Apps and Books in Apple School Manager and Apple Business Manager. Available in macOS 11.3 and later. |
| OS Updates | Max user deferrals | Specify the maximum number of deferrals, after which a forced update will occur. |
Resources
KB Article
VMware EUC Blog
WWDC 2021 Videos
- What’s new in managing Apple devices
- Meet declarative device management
- Discover account-driven User Enrollment
- Improve MDM assignment of Apps and Books
- Manage software updates in your organization
