WWDC 2020 – What is new in Apple device management?
It has been a few months since Apple unveiled their new operating systems at WWDC 2020. This blog provides an advanced overview of the best upcoming features for managing your Apple devices.
macOS Big Sur
macOS Big Sur (macOS 11) has a great set of new features to enhance how it is managed and deployed. Some of those features have been borrowed from iOS.
Auto Advance for Mac
Building on top of Automated Device Enrolment, Apple has borrowed a fantastic feature from Apple TV, called Auto Advance for Mac.
Auto Advance for Mac allows for a more streamlined enrolment experience. It skips all the setup steps and boots the Mac to land right at the login page.
To use this feature, simply plug the Mac into a power source and use an ethernet cable. The network must support DHCP.
Lights out Management for the new Mac Pro
For those lucky enough to have a new Mac Pro, Apple has added the ability to remotely startup, shutdown and reboot it.
This is accomplished by sending an MDM command from your management server to an MDM enrolled, Lights out Management controller Mac. This controller Mac then forwards the commands to the appropriate Mac Pros.
User Approved MDM and supervision
Until now, User Approved MDM devices did not have the same management capabilities as devices enrolled with Automated Device Enrolment. With macOS 11, User Approved MDM devices will now be considered supervised, thus getting access to the enhanced management feature set.
Managed OS updates
macOS 11 has borrowed heavily from the way iOS handles Operating System updates.
Big Sur will add the following new capabilities:
- Force macOS updates, including rebooting the Mac afterwards
- Defer major OS updates for up to 90 days
- Defer non OS updates for up to 90 days
iOS has always had more capabilities when managing apps deployed via Apple School Manager or Apple Business Manager.
These new features are now available for macOS 11.
- With macOS 11, apps can now be removed with an MDM command, or at un-enrolment
- The same iOS style app configuration options are now available
- The MDM can convert unmanaged apps to managed
It has always been possible to manually install a configuration profile. For instance, you can download one via a website or email. Because these configure the way the device behaves, it is important a user does not either install one by mistake, or install a malicious one.
iOS 13 added a feature called Downloaded Profiles; macOS 11 now has this feature too.
Now when a profile is downloaded, instead of automatically prompting the user to install it, the user gets a notification prompting them to preview the profile before installing.
In System Preferences there will be a new area listing these profiles. The user can then review them and either choose to install or delete them.
The profiles are only available for review for eight minutes. If the user chooses to ignore them, they are then automatically deleted.
Mac serial numbers
Automated Device Enrolment uses the Mac’s serial number to identify them. The serial number holds identifiable information, including when and where it was manufactured.
Apple will be phasing these out. New Macs will eventually ship with a randomly generated ten digit serial number that holds no identifiable information.
Like macOS 11, iOS 14 also comes with new management capabilities.
Apple has added the ability to skip the ‘What’s New’ and ‘Update Completed’ panes. Skipping the update completed pane is a nice addition, as this can be skipped each time the OS is updated.
Apple’s shared ipad solution has been a hit with education and was recently introduced to business as well.
One addition is the allocation of storage for each user. Until now, you would have had to specify how many users would be cached on the iPad, then each user would be given an equal amount of free storage. With iOS 14 you can now specify how much space you wish to allocate to each user, and the OS will work out how many users that can accomodate.
We also now have the ability to delete all cached users from a device as well as query which users have been cached and how much storage they have used.
You have always been able to stop users from deleting all apps but this policy applied to all apps installed. Now you can mark specific apps as non deletable. This will prevent the user from deleting specific apps, or the OS offloading it.
We now have more granular control over which apps are allowed to display previews within notifications.
The time zone can now be set. This is useful where location services are not enabled or available.
Previously, we have had various VPN options available, which included Full Tunnel, Split Tunnel and per app VPN.
With iOS 14, we now have the ability to to assign a VPN connection to an account.
This is a replacement for Contacts, Calendars and mail domains.
By default, with iOS 14 the device’s real MAC address will not be advertised. Instead a random MAC address will be used. This may cause issues with corporate portals or captive portals.
If the device cannot connect to a Wi-Fi network because of this, it will fall back to using real MAC addresses. However, this feature can be managed via an MDM and disabled by default.