blog.dataJAR

WWDC23 | Announcements summary and highlights for Apple admins

Apple WWDC23
Introduction

Apple’s Developer Conference has wrapped for another year and what a bumper year. The keynote gave us an introduction to the 15-inch MacBook Air, an updated Mac Studio and completed the transition to Apple silicon with an updated Mac Pro. We were also treated to a glimpse of the future with the Apple Vision Pro Augmented Reality head set – we cannot wait to see how this technology develops in the coming years.

The keynote also gave us a first look at the new Operating Systems; macOS Sonoma, iOS 17, iPadOS 17 and Watch OS 10.

As with previous years, the dataJAR team kept a close eye on all announcements and reviewed new or changing product features. Here are some of the highlights we feel will benefit Apple admins.

Managed Apple IDs

Something that admins and users alike have been calling for, for a while now, is feature parity between Personal Apple IDs and Managed Apple IDs (also known as MAIDs). Apple’s engineering teams have had to overcome some significant architectural challenges to the Managed Apple ID infrastructure to bring us a host of very welcome improvements.

MAIDs will now offer access to the following services: 

  • iCloud Keychain – securely save and access credentials (including managed passkeys) on any approved device.
  • Continuity – which will allow users to use AirPlay to Mac, Auto Unlock, Continuity Camera, Continuity Markup and Sketch, Handoff, Instant Hotspot, iPhone cellular calls, Sidecar, SMS, Universal Clipboard and Universal Control.
  • Apple Wallet – allows adding payment cards and campus access passes.
  • Developer Account – Apple School Manager Admins can allow access to the Apple Developer program for approved MAIDs.

Organisations will have more granularity in what type of device a MAID can sign in to. The options are:

  • any device
  • managed devices only
  • supervised and managed devices only

Account driven enrollment will allow macOS computers to enrol to MDM, just by signing in with a MAID, negating the need for an enrollment profile. 

In addition to Azure and Google federation, custom Identity Provider (IdP) support will be added, enabling organisations to integrate with any IdP that supports OpenID Connect. 

For a deep dive on all the new Managed Apple ID features we recommend viewing the ‘Do more with Managed Apple IDs’ session.

Declarative device management

Cyrus Daboo, engineer on the device management client team at Apple said, “the focus of new protocol features is declarative device management”  and, it really is.

Apple has expanded and enhanced their declarative device management offering with some really exciting new features. 

First up is software update for macOS, iPadOS and iOS. One of the complaints admins have had in the past is around the lack of visibility after an update command has been pushed via MDM. Declarative device management seeks to address this with declarative status reports – this will tell an admin the status of an update and provide meaningful error codes should an update fail or is unable to start. Users will also see enhanced information in System Settings for macOS and Settings for iOS and iPadOS, for example, when an update was requested and it is enforced. 

The following new keys have been added for managing software update:

TargetOSVersion and TargetBuildVersion: these keys define the version to be updated to. If both keys are set, TargetBuildVersion will take precedence.

TargetLocalDateTime: defines the local time of the device when the update is enforced.

DetailsURL: provides the URL of a webpage which can be used to provide more information about the update.

Next we will look at managed service configurations for macOS, which has a whole host of system services that are managed by system configuration files. These services can be tricky to manage in an effective manner as users are often able to overwrite and change configurations. Declarative device management has a new asst type that allows a tamper proof way to deploy configurations as a .zip file. Configurations sent in the manner will always take precedence over any local configuration. 

The first set of built-in services are listed below, with more expected in future releases. 

  • sshd
  • sudo
  • PAM
  • CUPS
  • Apache
  • Zsh (/private/etc/zprofile)
  • Bash (/private/etc/profile)

Migrating from legacy profiles to declarative device management can be disruptive for the user, as currently profiles must be removed before a new set of declarations can be synced. There is now an option for your MDM to take ownership of and migrate profiles to a legacy configuration declaration resulting in no disruption or management gaps as the new config takes over. This new behaviour is available for macOS, iOS and iPadOS.

These are just a few of our favourites from the new features in declarative device management, for an in-depth walk though check out Cyrus Daboo’s excellent ‘Explore advances in declarative device management’ session.

watchOS management

watchOS 10 brings with it the possibility to manage Apple Watches with MDM. To enable management the declarative configuration com.apple.configuration.watch.enrollment must be applied to a supervised iPhone. Once applied any watch that is then paired with the iPhone will become managed. If a watch has been paired before enrolment, it must be removed and re-paired. 

Apple Watch management is currently limited to: 

  • app installation and removal (including in-house apps)
  • select Profiles and Configuration including
    • passcodes requirements
    • certificate installation and settings
    • per App VPN
    • Wi-Fi configuration
    • restrictions to prevent app installation or removal, force wrist detection, enforce on-device translation and dictation, take screenshots, submit diagnostic information and disable Siri when locked

For a more in depth preview we recommend watching the ‘Meet device management for Apple Watch’ session.

macOS Sonoma

macOS Sonoma further streamlines the setup process for admins and enhances the security posture of the computer by:

  • Enforcing a minimum macOS version during enrollment – if a computer does not meet the minimum requirements the user is guided through either upgrading or updating before being allowed to continue. 
  • Enforcing FileVault in the Setup Assistant – admins can allow the FileVault Recovery Key to be shown to the user by setting await_device_configured
  • Enforcing Automated Device Enrollment for registered Apple School and Business Manager computers. A user is able to choose “Not now” once, then after 8 hours they will be required to enrol or erase the Mac. 

Platform single sign-on was introduced last year during WWDC22 and quickly became a favourite with admins the world over. This year we see the following enhancements.

  • WS-Trust federation – will allow Platform SSO to authenticate users with an IdP federated with Azure. 
  • User enrollment and registration status in System Settings – users will be able to sign in to Platform SSO via a new menu item in System Settings, which will also show the signed in status, including any error messages.  
  • Local account creation by users – users in labs or in shared computer scenarios will be able to sign-in with their IdP credentials and have a local account created.

Passcode configuration and handling:

  • The passcode payload and declaration now supports specifying a password policy as a regular expression to support complex requirements. 
  • If there are new or updated password requirements applied to a computer while there is no logged in user, compliance is verified at the next login.
  • Should a user be logged in during an update to the password requirements and the requirements seem to be as strict,  the user will be asked to verify and update if necessary.

AppleSetupDone has been part of an admins workflow for longer than this admin cares to remember. With macOS Sonoma removing /private/var/db/.AppleSetupDone will no longer relaunch the Setup Assistant if a local user exists on a Mac. 

iOS and iPadOS 17

Reprovisioning devices is something all admins regularly have to deal with. iOS and iPadOS 17 brings with it Return to Service,  with the aim of making the reprovisioning process fully automated and much faster. After an erase command has been sent via MDM, the MDM can provide the Wi-Fi details and define the server to enrol to. The Wi-Fi Profile is required for activation, unless for example the device is tethered or part of Apple School or Business Manager. Once erased the device will progress though to the Home Screen using the previously selected language and region. 

As with macOS Sonoma a Minimum version of iOS and iPadOS can be required before enrolment will complete. The user experience is exactly the same, where the user will be guided through either upgrading or updating the device.

Summary

This year’s WWDC has been packed full of ground breaking innovation, bringing fantastic new features for users, admins and developers alike. Apple’s commitment to continue to advance its platforms based on the feedback from the Mac Admin community is incredibly encouraging to see. We look forward to seeing these new features in practice.