How Apple is updating mobile device management

How Apple is updating mobile device management

Unsurprisingly, Apple at WWDC announced a number of significant changes to the way Macs, iPads, iPhones, and Apple TVs are handled in business and education settings. These changes largely fall into two groups: those that affect general device management, and those that apply to declarative management (a new type of device management that Apple introduced last year in iOS 15).

It is important to look at each group separately to better understand the changes.

How did Apple change global device management?

Apple Configurator

Apple Configurator for iPhone has seen significant expansion. It has long been a manual method of enrolling iPhones and iPads in management rather than using automated or self-enrollment tools. The tool originally shipped as a Mac app capable of configuring devices, but it had one major drawback: the devices had to be connected via USB to the Mac running the app. This had obvious time and manpower implications in anything but a small setting.

Last year, Apple introduced a version of Configurator for iPhone that reversed the original's workflow, meaning an iPhone version of the app could be used wirelessly to enroll Macs in management. Primarily used to enroll Macs purchased outside of Apple's Business/Education channel in Apple Business Manager (Apple products purchased through the channel can be automatically enrolled with a zero-touch setup).

The iPhone incarnation is incredibly simple. During the setup process, point an iPhone camera at an animation on the Mac screen (much like pairing an Apple Watch) and trigger the enrollment process.

The big change this year is that Apple has expanded the use of Apple Configurator for iPhone to support enrollment of iPads and iPhones through the same process, removing the requirement that devices must be connected to a Mac. This greatly reduces the time and effort required to enroll these devices. There is one caveat: devices that require cellular activation or have been locked will need this activation to be done manually before the configurator can be used.

identity management

Apple has made useful changes to identity management in enterprise environments. More importantly, it now offers support for additional identity providers, including Google Workspace and Oauth 2, enabling an expanded set of providers. (Azure AD was already supported.) These identity providers can be used in conjunction with Apple Business Manager to generate Managed Apple IDs for employees.

The company also announced that single sign-on support across all of its platforms will be rolled out after macOS Ventura and iOS/iPadOS16 arrive this fall. The goal here is to make user registration easier and more streamlined by requiring users to authenticate only once. Apple also announced Platform Single Sign-on, an effort to extend and streamline access to business applications and websites every time they sign in to their devices.

Application Managed Networks

Apple has long had per-app VPN capabilities, which only allow specific business or work apps to use an active VPN connection. This strengthens VPN security, but limits VPN payload by only sending traffic from specific apps over a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple adds per-app DNS proxy and per-app web content filtering. This secures traffic for specific apps and works similarly to per-app VPN. And it doesn't require any changes to the apps themselves. DNS proxy supports system-wide or per-application options, while content filtering supports system-wide or up to seven instances per application.

E-SIM Provisioning

For iPhones that support eSIM, Apple allows mobile device management (MDM) software to configure and provision an eSIM. This may include provisioning a new device, migrating carriers, using multiple carriers, or setting up for travel and roaming.

Manage accessibility settings

Apple is well known for its extensive set of accessibility features for people with special needs. In fact, many people without special needs also use many of these features. In iOS/iPadOS 16, Apple allows MDM to automatically enable and configure some of the most common features, including: text size, voiceover, zoom, touch layouts, bold text, motion reduction, contrast enhancement, and of transparency. It will be a welcome tool in areas such as special education or healthcare and hospital situations where devices can be shared between users with special needs.

What's new in Apple's declarative management process?

Apple introduced declarative management last year as an improvement over its original MDM protocol. Its great advantage is that it transfers a large part of the business logic, compliance and management of the MDM service to each device. As a result, devices can proactively monitor their status. This eliminates the need for the MDM service to constantly poll the status of your device and then issue commands in response. Instead, devices make these changes based on their current state and the statements that are sent to them and report them to the service.

Declarative management is based on declarations that contain things like activations and configurations. An advantage is that a statement can include multiple configurations, as well as triggers that indicate when or if the configuration should be activated. This means that a single statement can include all settings for all users, along with activations indicating which users they should apply to. This reduces the need for large sets of different settings because the device itself can determine which ones should be enabled for the device based on its user.

This year, Apple has expanded the areas in which declarative management can be used. Initially, it was only available on iOS/iPadOS 15 devices that took advantage of user registration. Going forward, all Apple devices running macOS Ventura or iOS/iPadOS/tvOS 16 will be supported, regardless of enrollment type. This means that device enrollment (including supervised devices) is supported at all levels, as is Shared iPad (an enrollment type that allows multiple users to share the same iPad, each with their own settings and files). ).

The company has made it clear that declarative management is the future of Apple device management and that any new management features will only be implemented in the declarative model. Although traditional MDM is available for an indefinite period, it is obsolete and will eventually be retired.

This has important implications for devices that are already in use. Devices that cannot run macOS Ventura or iOS/iPadOS 16 will eventually be discontinued and those that remain in service will need to be replaced. Given the number of devices that are no longer supported, this could be a costly transition for some organizations. Although it won't be immediate, you need to start figuring out how big and expensive the transition will be and how you'll manage it (especially since it's likely to require a transition to Apple Silicon, which doesn't support the ability to run Windows or Windows apps, on process).

Beyond expanding the products that can use declarative management, Apple has also expanded its functionality, including support for setting up passcodes, enterprise accounts, and installing MMD-governed apps.

The password option is more complex than simply requiring a password of a certain type. Password enforcement is traditionally required for certain security-related settings, such as pushing corporate Wi-Fi settings to a device. In the declarative model, these settings can be pushed to the device before a password is set. They are shipped with the password requirement and include an activation that will only activate once the user has created a password that complies with this policy. Once the user has set a password, the device detects the change and activates the Wi-Fi settings with multiple connections to the MDM service, immediately turning on Wi-Fi and notifying the service that it has been activated.

Accounts, which can include things like mail, notes, calendar, and subscribed calendars, work the same way. A statement can specify all supported account types within the organization, as well as all subscribed calendars. The device will then determine, based on the user's account and role(s) within the organization, to activate and activate.

Installing MDM apps is the most important addition to declarative management, because installing apps is one of the most onerous tasks for an MDM and the biggest bottleneck during mass device activations (such as mass onboarding of new devices). employees, the launch of new devices or the first day of school). A statement can specify all potential applications that will be installed and pushed to a device upon activation, even before it has been delivered to its user. Once again, the device will determine which app installation settings to activate and make available, depending on the user. This prevents each device from repeatedly querying the service and downloading apps and their settings. It also simplifies and speeds up the process of enabling (or disabling) applications if a user's role changes.

These are significant enhancements and it is easy to see why these are the first additions to declarative management after its initial implementation. There are still MDM capabilities that haven't made the leap to declarative use, but it's obvious they will eventually, perhaps as soon as next year.

This is one of the biggest announcements of WWDC for businesses and it's good to see that Apple gave it some thought when deciding what features to add or update as most of them are in domains that are difficult, slow, resource intensive or tedious. . Apple not only meets the needs of business customers, but shows that it understands them.

Copyright © 2022 IDG Communications, Inc.