Workspace ONE Unified Endpoint Management Technical Guides

macOS Monterey – What Workspace ONE Customers Need to Know

Apple launched macOS Monterey on Monday, October 25, and with it, they’ve delivered an array of new capabilities and changes, much like they did with iOS 15. As we work to support this new release, we want to make you aware of the capabilities and provide you with some tools you can use to take advantage of these advances in the near-term.

OS Management

Once a device has been updated to Monterey, admins can add the option to set the maximum number of user deferrals. This allows users to delay applying future OS upgrades until a convenient time. However, once a user exhausts the configured number of deferrals, the system forces the install and restarts the device.

Monterey also brings new features related to OS updates for devices running Apple Silicon. The most noticeable is support for use of the bootstrap token in MDM-initiated install-later update flows. This means admins can schedule an update for a later time when the device is not in use. This functionality will be most useful for admins managing large numbers of shared use or non-mobile devices, such as computer labs or editing workstations, where you’ll need to perform the update and restart during off-hours. End users will appreciate not having to perform the restart during their work hours.

Device Management

While Apple added the RestartDevice command pre-Monterey, they’ve added a new parameter to notify the user of the pending restart. Previously, the RestartDevice command immediately restarted macOS with no notification to the user. This behavior made an admin-initiated restart highly disruptive and unexpected to end users and was most problematic for organizations managing Kernel Extensions. With the new NotifyUser parameter, admins can notify the end user of a required restart and allow them to restart gracefully.

Additionally, macOS Monterey brings a new capability that comes with a corresponding restriction. Monterey is the first version of macOS supporting the “Erase All Content and Settings” feature (similar to behavior in iOS). This new option allows admins and end users to wipe user data from a Mac, essentially returning it to the first-boot experience. While previously you could wipe a Mac, the process rendered the device unbootable and required admins to re-install macOS. Instead, you now have the option to preserve the OS, which is the default behavior if you initiate a Device Wipe on Apple Silicon Macs or Macs with the T2 chip. Admins can also restrict users from wiping devices with this new restriction.

Security-related

MacOS Monterey builds on top of the features in Big Sur with a new feature called Removable System Extensions. This new feature allows apps to remove their own system extensions during uninstall without the need for an administrator password. This feature should make maintenance and updates for software with system extensions much easier. Also, Monterey deactivates system extensions when the payload that allows the extension is removed from the device.

Also new with Monterey is iCloud Private Relay. This feature hides your DNS queries and IP address from servers and websites that attempt to track you. While this feature helps protect a user’s privacy, it may not be desirable in an enterprise setting. If this is the case with your organization, Monterey supports a new restriction allowing you to disable iCloud Private Relay on supervised devices.

Tools

The following XML snippets for items related to the fall releases of Big Sur and Monterey were originally provided in our KB article on VMware Docs. We are reprinting them here for your convenience and the corresponding XML can be found on our EUC-Samples GitHub repository.

Profiles

PayloadKey Description
Restriction    Enforce a major macOS software update delayDefer major macOS updates, such as macOS 12 for a period of time.
RestrictionEnforce a minor macOS software update delayDefer minor macOS updates, such as macOS 11.5 for a period of time.
RestrictionEnforce a non-macOS software update delayDefer a non-macOS software update delay, such as a supplemental update to be installed.
RestrictionAllow erase all content and settingsPrevent users from using Erase All Content and Settings on their Mac.
Setup AssistantSkip unlock with Apple Watch    This skips the screen related to unlocking the device with the Apple Watch.
Kernel ExtensionsAllow non admin user approvalsAllow users who aren’t local administrators to approve kernel extensions.

Commands

ModuleCommand    Description
RestartNotify userIf true, notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at login window with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. This value is available in macOS 11.3 and later.
RestartRebuild Kernel cacheIf true, the system rebuilds the kernel cache during a device restart. This value is available in macOS 11 and later.
Recovery LockSet Recovery LockSet the recoveryOS password. Available in macOS 12.0 and later.
Recovery LockVerify Recovery LockVerify whether a recoveryOS password has been set. Available in macOS 12.0 and later.
Device Information Is Apple SiliconQuery whether the device is a Mac with Apple silicon. Available in macOS 12.0 and later
Device Information    Can install iOS appsInstall iPhone and iPad apps on a Mac with Apple Silicon from Apps and Books in Apple School Manager and Apple Business Manager. Available in macOS 11.3 and later.
OS UpdatesMax user deferralsSpecify the maximum number of deferrals, after which a forced update will occur.

Resources

KB Article

VMware EUC Blog

WWDC 2021 Videos

Access macOS-Related Posts on VMware Technical Network

Take the FREE Online Workspace ONE macOS Management Training