Categories
Subscribe
WWDC21 highlights for Apple admins
Introduction
It is that time of year when Apple hosts their World Wide Developer Conference where we learn what Apple has planned for the upcoming year. This year, Apple announced macOS 12 (Manterey) and iOS 15.
Here are some of the highlights we feel will benefit Apple admins.
macOS Monterey – Erase Install
Erase Install is a great addition to macOS. Currently, if you have an in-use Mac you want to reprovision, you have to perform the following steps:
- Boot to the Recovery Partition
- Wipe the hard drive
- Reinstall macOS
This process can sometimes take up to one hour to complete.
With macOS Monterey, Apple is adding ‘Erase Install’. This works in the same way as Erase Install on iOS. You select this from System Preferences and it will erase all settings, user data and third party apps, keeping the OS intact. The Mac then reboots to the Setup Assistant, where you can set the Mac up as new. This process takes just a few minutes with the only caveat being it is only available for T2 and Apple Silicon Macs.
Erase Install will also be supported via MDM.
macOS Monterey – Silicon lock
Intel Macs have the ability to be device locked with a six-digit passcode. This allows admins to lock Macs to prevent them from being used.
Until now, Apple Silicon Macs have not had this feature. Administrators will now be able to send a six-digit PIN, message and phone number to the device. This will cause the Mac to reboot and present the user with the information provided, bringing feature parity across all Mac models. With remote lock in place, the user is unable to use a Mac until the PIN has been provided. Once the PIN is entered, the Mac will reboot.
macOS Monterey – recovery password
Booting to recovery could allow for unintended data access or changing critical security settings. With macOS Monterey, Apple is adding the ability to set a recovery password, thus limiting access to it. This password can only be set via an MDM.
Unenrolling the Mac from its management server or wiping the computer will automatically remove the password.
iOS 15 – managed pasteboard
iOS has the ability to silo data between managed and unmanaged apps. A managed app is an app deployed via an MDM server, an unmanaged app is one deployed by the user.
This helped to prevent data leakage between business and personal apps.
With iOS 15, the pasteboard will now be supported. The data copied from a managed app cannot be pasted into an unmanaged app – an MDM is required to enable this.
macOS Monterey – enforce OS updates
Keeping macOS up to date on some of the later versions of macOS has become slightly problematic. To avoid Macs auto-installing an OS update at an inconvenient time, users have been encouraged to install the update themselves via System Preferences. Inevitably, some users never get around to installing the updates.
With macOS Monterey, Apple has added some new capabilities.
The MDM server can now set the number of times a user can defer the update. When an update is available they will get a notification offering them the chance to either install the update now, defer it until tomorrow or install that night. An admin can specify how many times the user can defer the update. Each time the notification is displayed, they are told how many deferrals are left. Once they have run out of deferrals, the update will install there and then.
iOS 15 – choice of updates
Prior to iOS 15, when a user was presented with an update, they were only given one option – either the next minor update or, if there was a major update ( iOS 13 > 14), they were presented with that, so were forced to move to the next major update.
With iOS 15, the user will now be given two options if a major update is available (say iOS 16). They can choose either to upgrade to the next major version, or stick with the current version and install the minor updates and security updates.
The MDM server can also configure what the user sees, i.e. just the minor updates, just the major update or both.
macOS Monterey – adding Macs to Apple Business/School Manager
Until now, the only way to get a Mac added to Apple Business/School Manager was by purchasing them from an authorised vendor. They have the ability to add those Macs to your Apple Business/School Manager instance.
If you had purchased the Macs from an unauthorised vendor, you were out of luck.
iOS was different – as long as you were running iOS 11 or higher, you could add those devices yourself with Apple Configurator.
With macOS Monterey, you will now be able to add them yourselves. This has been a long requested feature.
How does this work?
Apple will be releasing a version of Apple Configurator for iPhone.
- You boot the Mac to the setup assistant
- You bring the iPhone close to the Mac
- This will make the Mac present a graphic
- On the iPhone you take a picture of the graphic. This graphic has an enough encoded information to add this Mac to your Apple Business/School Manager instance
- Once added, you can reboot the Mac and it is ready to enrol into your assigned MDM
You will only be able to add T2 and Apple Silicon Macs running macOS Monterey.
iOS 15 – declarative device management
MDM is currently a reactive protocol. MDM is used to deliver configuration profiles to Apple devices which specify the settings you want to apply to the device. There are a number of issues with the current approach. First, this protocol takes time and multiple round trips between the device and server. The server would reach out and ask the device to check in and download the configuration profile and apply it. The server would then periodically reach out to the device to see if the profile had been applied and check the current status of that device.
The other issue is there is no guarantee the settings would be applied and the config profiles only have one attempt to be applied. As an example, you deploy a config profile with a specific setting that is only available for the latest version of iOS. Some of the devices are not on that version of iOS, so the config profile fails to apply that setting because it does not exist. If the user then updates their version of iOS so they now have that feature, the setting is still not applied unless the server pulls that config profile and reinstalls it.
With declarative device management, it allows the device to be autonomous and proactive, freeing up the server to be lightweight, reactive and subscribe to updates without constant polling.
An autonomous device reacts to its own state changes and then applies management logic to itself without prompting from the server. Going back to the earlier example, once the user updates iOS, the setting would then be applied and the MDM server would not need to be involved.
With declarative management, both the device and server now advertise supported capabilities to each other. Each knows when it can start taking advantage of new features without having to hardcode software versions or hardware dependencies.
A proactive device has a status channel asynchronously reporting to the server when important state changes occur, avoiding the need for servers to poll devices.
This is the future of device management. iOS 15 is the first OS to support this and, with the first version, only a subset of the current management options will be available.
The good news is, this runs side by side with the old way of managing devices. Over the next few years more features will move over to declarative device management.
