blog.dataJAR

WWDC22 highlights for Apple admins

WWDC22 highlights for Apple admins
Introduction

2022 brought us yet another great World Wide Developer Conference. With Apple announcing macOS 13 (Ventura), iOS 16 and iPadOS16, a comprehensive update packed full of features will soon be made available for developers and admins to take advantage of.

As with previous years, the dataJAR team kept a close eye on all announcements and reviewed new or changing product features. Here are some of the highlights we feel will benefit Apple admins.

Declarative device management

The concept of declarative device management was introduced for user-enrolled iOS devices at WWDC 2021. This device management approach allows a device to react to its own state change and then report back into the MDM server. As most of the heavy lifting is done on the device, this frees up valuable network and MDM server resources.

Apple is expanding declarative management support to all its MDM supported platforms:

  • macOS, iOS16 and iPadOS16 will support all enrolment types
  • tvOS16 will support automated and profile based enrolment

macOS and shared iPads will have dual channel workflows available:

  • device – which will allow for device level state management 
  • user – which will allow for individual user-level state management

Apple has also expanded the reporting capabilities and activation predicates, so you can be sure the device is in a compliant state.

macOS Ventura – Platform Single Sign-On (Platform SSO)

Platform SSO is Apple’s intended replacement for binding computers to Microsoft’s Active Directory and Mobile Accounts; once configured you sign in to your local account, then let your identity provider take over signing into apps and websites.

There are still scenarios where binding to Active Directory may be necessary. For instance, where educational institutions are running labs, Active Directory binding is still supported in macOS Ventura but is not recommended by Apple. 

macOS Ventura – managed software updates

In today’s threat landscape, keeping macOS patched with the latest security updates has never been more important. However, reliability issues with the softwareupdate command line tool, combined with users choosing not to update as it is not convenient for them, means keeping devices patched has been an increasingly difficult problem to solve. 

macOS Ventura is making some welcome additions to the admins’ MDM software update toolbox.

  • If a computer is in Power Nap state, it will respond to the ScheduleOSUpdate, OSUpdateStatus and AvailableOSUpdate commands, rather than issue a NotNow response as it did previously. 
  • ScheduleOSUpdate has a new key called priority that can be set to High or Low. These are for minor OS updates only and will set the priority for the downloading and preparing phases of the Software Update process. Setting to High will mimic a user-initiated request from the Software Update System Preference Pane. 
  • OSUpdateStatus adds increased log visibility and reporting capabilities. With admins now able to see MaxDeferals, DeferralsRemaining, NextScheduledInstall, and PastNotifications.
  • Rapid Security Response allows for the automatic installation of critical security updates, without users needing to reboot.
macOS Ventura – network requirement for Setup Assistant 

With previous operating systems, it was possible to bypass a managed Mac from enrolling into an MDM server. In macOS Ventura, Automated Device Enrolment takes another step forward – it will now require a network connection at the setup screen and MDM enrolment cannot be bypassed. 

There are a couple of caveats to be aware of though. This method will only work with T2 chips on Intel or Apple Silicon Macs and it has to have completed an initial set up to register as owned by your organisation.

iOS and iPadOS – managed per-app networking

Accessing company data on personal devices is a bit of a minefield. Per-app VPN has been a feature of iOS for a while now and has been great at helping to secure sensitive data. iOS16 extends the per-app offering with per-app Web Content Filter and per-app DNS Proxy.

iPadOS – default Apple ID domain

Shared iPads are now able to take advantage of the ManagedAppleIDDefaultDomains command. Once set up and a user starts to type in their Apple ID, the default domain will be suggested saving valuable time, particularly in a classroom setting. 

iOS and iPadOS – install applications during setup

While it has always been possible to install critical applications onto iOS devices, the user experience of running through the setup assistant and then having to wait while the apps install is a little disjointed. With iOS16, you can now set applications to install during enrolment. This offers the vastly superior set up and go experience to your users. 

Latest posts

See All
February 9, 2024

Update: dataJAR blog content moving to Jamf’s platform

Featured image for “Update: dataJAR blog content moving to Jamf’s platform”
July 26, 2023

Did somebody mention macOS updates?

Featured image for “Did somebody mention macOS updates?”

Featured articles

May 4, 2023

Understanding BYOD and ADE enrolments in macOS – pros, cons and what to look out for 

Featured image for “Understanding BYOD and ADE enrolments in macOS – pros, cons and what to look out for ”
March 15, 2023

Getting started with web browser management in Jamf Pro

Featured image for “<strong>Getting started with web browser management in Jamf Pro</strong>”