What an exciting Worldwide Developers Conference! As has been the trend in recent years, Apple’s WWDC23 was primarily a virtual event. In addition to presenting the opening keynote, Apple published various developer sessions throughout the week, many of which pertained directly to enterprise. Apple makes these WWDC developer sessions open to the public and publishes them on the Apple developer website. If you’re interested in watching any of the sessions, we recommend the “What’s New in Managing Apple Devices” session to get started. This session will provide a high-level overview of all device management updates, which we’re eagerly researching to see how they will work with Workspace ONE Unified Endpoint Management.
For a developer conference that predominantly focuses on software updates, Apple showcased a lot of new hardware this year at WWDC23. An all-new 15-inch Macbook Air complete with M2 chip kicked off the show, but Apple didn’t stop there. The Mac Studio received new Apple Silicon internals, as did the long-awaited Mac Pro. With these Mac updates, Apple has officially completed their transition to Apple Silicon across all device models.
The big announcements from WWDC23
And lest we forget Apple’s famous “One more thing …,” this year Apple finally lifted the veil on their rumored mixed reality device, aptly named Apple Vision Pro. Vision Pro introduces an entirely new product category for Apple. The mixed reality headset is a stand-alone “spatial computing” device that can be used independently from a Mac or iPhone. Vision Pro is powered by a brand-new operating system called visionOS. Apple’s demonstration of Vision Pro and visionOS was truly awe inspiring. We recommend checking it out here if you haven’t seen it. Apple mentioned this new spatial computing platform would not be made available until 2024. So far, there is no indication visionOS will support device management at launch. We’ll be keeping our eye on the platform in case that changes in a future release.
No WWDC would be complete without major operating system updates. As expected, Apple announced iOS 17, iPadOS 17, macOS 14 Sonoma, tvOS 17, and watchOS 10. For the iOS update, Apple focused mostly on refining and improving the iPhone experiences you already know and love. Core functionality like phone calls, iMessage, and FaceTime all received meaningful quality of life improvements. My favorite new feature is the new “catch-up” functionality in Messages, which allows you to jump to the first message you haven’t seen in a conversation. This is a much-appreciated feature for those unruly group chats.
Most of these enhancements also apply to iPadOS, though this platform did have a couple of standouts — namely significant widget expansion. iPad now supports widgets on the lock screen. These widgets are no longer simply a shortcut to the anchor application. Instead, they offer their own functionality to take actions within apps without leaving the Home Screen. The same widget improvements are available on macOS 14 Sonoma as on iPadOS 17, along with other quality of life improvements to core Mac apps.
In terms of new features for enterprise, WWDC23 did not disappoint. Every platform received meaningful device management updates. We’ll highlight a couple of the more interesting updates below, but for more in-depth coverage of WWDC 23, please see our document: “Getting Ready for Apple Major OS Releases 2023.”
Declarative device management
All eyes were on declarative device management (DDM) this year at WWDC23. As Apple had previously proclaimed, “The future of device management is declarative,” we were expecting to see significant updates to this new management paradigm. I am happy to report that Apple delivered.
If you’re still fuzzy on DDM, here’s a quick primer. DDM is a new management paradigm that builds on top of Apple’s existing mobile device management (MDM) protocol. Since DDM enhances the existing MDM protocol, there is no migration required for managed devices to support new DDM capabilities. DDM introduces two new management concepts with Declarations and Status Channel. Declarations represent the policies that are applied to devices, whereas Status Channel allows managed devices to automatically and asynchronously report device state changes as they occur.
Upcoming DDM functionality
Apple has enhanced DDM in three key areas for their upcoming major software releases. DDM will soon support functionality for software update management, certificate management, and application management.
Software update management
The most interesting declarative enhancement might be software update management with DDM, as it’s providing net-new functionality compared to previous update management options. With new software update enforcement declarative configuration, administrators can now force a device OS update at a specified date and time, down to the second. Apple has also introduced four new status items specific to software update management. These new status items will allow managed devices to automatically update the MDM server with their software update install status, how the update triggered, the pending update version, and even update failure reasons. We think these enhancements to software update management will streamline the update process and make update enforcement much more reliable and transparent.
Certificate management
Certificate management is new to DDM and fits inside the Asset framework. Apple introduced four new assets for certificates and identity, supporting the following formats: ACME, PEM, PKCS#1, PKCS#12, and SCEP. These certificates and identities are deployed as assets, so each can be referenced by multiple configurations. This allows for a streamlined certificate refresh process when compared to Profile certificates, as you’ll only have to refresh one certificate instead of many. If you only need to install a standalone certificate in the device keychain, Apple has this use case covered as well. DDM now supports two new configurations for installing standalone certificates and identities.
Application management
Apple announced application management with DDM at WWDC23, although they stated this functionality would not launch with the major OS debuts. Instead, application management with DDM will be provided in a later release. While Apple’s developer documentation is not yet live for this functionality, we did glean details from this WWDC23 DDM session. Apple announced a new managed application configuration that can be used to deploy applications to managed devices, with new options for on-demand vs. automatic install. Lastly, Apple also announced a new managed app distribution framework that is available for third-party management app use. This new application framework will allow third-party management applications (think Workspace ONE Intelligent Hub) to source real-time managed app install status directly from the device.
Overall, declarative device management had some exciting updates at WWDC23. We’re hard at work on our implementation of DDM within Workspace ONE Unified Endpoint Management and are currently scoping and prioritizing these upcoming enhancements.
Managed Apple ID enhancements
Apple made a few key enhancements to Managed Apple IDs that will help their adoption in enterprise. The biggest enhancement is that Apple Business Manager and Apple School Manager can now integrate with third-party identity providers (IdPs) for federated authentication and directory sync purposes. Historically, this functionality has been limited to Microsoft Azure AD and Google Workspace. There are a few requirements when integrating with third-party IdPs. The IdP in question must support OpenID Connect for federation and SCIM for data synchronization, as well as security events using the OpenID Shared Signals and Events (SSE) framework. Additionally, Apple Business Manager and Apple School Manager now provide more granular control over what iCloud services Managed Apple IDs can access.
Apple also announced a new device enrollment process for Managed Apple IDs. Apple introduced a new account-driven device enrollment process for onboarding devices into MDM, similar to account-driven user enrollment. The enrollment steps are like those for account-driven user enrollment, but this device enrollment counterpart enables full MDM capabilities. Note that account-driven device enrollment also requires Managed Apple IDs to start the enrollment process.
watchOS management
With the availability of watchOS 10, it is now possible to manage Apple Watches. This is an exciting enhancement to Apple’s device management protocol as it brings a new platform into support. watchOS device management works very similarly to iOS device management — it supports profile and app management, as well as query commands to collect device attributes. Additionally, DDM is also supported on watchOS, with all declaration types and the Status Channel now supported by the platform. Not every profile and command are supported by watchOS, but it does support functionalities like Restrictions, Wi-Fi, and Passcode profiles, app management with per-app VPN, and certificate management for authentication and identity.
There are a few requirements for managing Apple Watches. First, the Apple Watch needs to be in a factory restored state and not paired to any iPhones. Second, you’ll need to pair the Apple Watch with a supervised iPhone. Third, the supervised iPhone must have the new Watch Enrollment declaration installed prior to pairing. If all these requirements are met, the Apple Watch will automatically enroll into MDM when paired to the supervised iPhone. Once enrolled, the Apple Watch will communicate directly with the MDM server and will not be reliant on the paired iPhone to receive management policies.
iOS 17, iPadOS 17, and macOS 14 Sonoma enhancements
Apple’s core iPad, iPhone, and Mac platforms also received a handful of device management updates this year. On iOS 17 and iPadOS 17, new networking capabilities support 5G and relay functionality. A new private cellular payload and 5G slicing options for managed apps make segmenting device internet traffic even easier. A new “Return to Service” option added to the device wipe command makes it easier to reprovision frontline devices. macOS 14 Sonoma brings enhancements to platform single sign-on (SSO), along with support for managed device attestation. macOS 14 Sonoma also received a number of profile updates across many payload types, with Restriction payload receiving the most attention.
How Workspace ONE UEM is getting ready for major Apple 2023 OS releases
We are thrilled to see such significant and impactful device management enhancements this year at WWDC23. We’ve already begun scoping and prioritizing these features and cannot wait to incorporate them into Workspace ONE UEM.
If you’d like to learn more about Apple’s major OS updates, including new profile payloads and commands, check out our preparation documentation: “Getting Ready for Apple Major OS Releases 2023.”
We’d love to hear your thoughts on Apple’s upcoming platform updates. Are there any new features you are particularly excited about? We encourage you to provide feedback on our Workspace ONE UEM feature request portal.
