We've made significant strides in bringing crucial device management features to macOS. Discover how these features can help you manage your all your devices using the same tools and technologies. Get details on changes coming this year and how they will impact your deployment workflows, as well as some new management capabilities you can use to secure iOS and iPadOS devices in your organization.
Kevin Milden: Hello, I'm Kevin Milden and I'm on Apple's Device Management team.
At Apple, our team spends our time focused on making devices easier to manage across our platform, apps, and services that you use.
Whether you're assigning 6th graders activities using Schoolwork on an iPad, setting up iPhones in your organization for the first time, or using Apple Business Manager to purchase apps and books for your organization, it is Apple's hardware, software, and services that are at the center of your deployment.
And this year we've made some significant strides in bringing numerous crucial device management features to the Mac.
Today we're going to start by reviewing how you can deploy, manage, and secure MacOS Big Sur.
Setting up and deploying Macs has never been easier.
With Essential Services from Apple, your organization can quickly deploy and support Macs at scale.
Our vision of enrollment requires nothing more than unboxing a Mac and booting it up.
And we're delivering on that promise with automated device enrollment.
All the user needs to do is select their language and connect to Wi- Fi.
It automatically enrolls organization-owned devices into MDM, so you don't have to touch them before you hand them out.
Enrollment customization allows you to add branding, consent text, and use modern authentication during the setup process.
It provides a better experience while using new auth vendors such as Microsoft Azure Active Directory, Okta, Ping, and more.
Using the credentials from your identity provider in enrollment customization, you can pre-populate the user's full name and short name.
We're also introducing the ability to choose if the account can enable user channel management too.
After creating a user account, you can customize the setup process to meet your organization's needs.
Choose which steps to hide and show such as Siri, TouchID, FileVault, Analytics, Location, and more.
With automated device enrollment there's no step three; you land at the desktop.
Automated device enrollment enables you to automate MDM enrollment and simplify device setup.
You can supervise devices during activation without touching them, as well as lock MDM enrollment for ongoing management.
A few years ago, we introduced a new feature that makes it easy to setup Apple TVs at scale.
It's been very successful and we're bringing it to the Mac.
All that you do is plug in power and connect Ethernet and then boot up.
And all of the setup screens are automatically skipped.
You land right at login.
It's the fastest way to set up a Mac and we think you're going to love it.
Auto-advance for automated device enrollment makes it easy to set up a Mac.
It requires you to manage your devices using Apple Business Manager or Apple School Manager.
Only power and Ethernet are required but your network must support DHCP.
Skip all the setup assistant steps and reach login within seconds or customize the setup to meet your needs.
And if you use encrypted disks, you will be required to enter your password.
Now I've got one more deployment feature for the Mac that I really want to tell you about.
And yes, it's for the new Mac Pro! It's called Lights Out Management and will enable admins to deploy Mac Pros at scale.
You can start up, shut down, and reboot one or more Macs remotely, even if they are unresponsive.
This is accomplished by sending a command from your MDM server to the MDM-enrolled controller on your Mac network.
Lights Out Management requires macOS Big Sur and your Mac Pros must be on the same subnet.
And you're going to want to install the Lights Out Management payload too.
Here's how it works.
You'll need to enroll a Mac to act as the controller on your local network and you will need all the Mac Pros to enroll as well.
Then connect all the Mac Pros to the enrolled LOM controller Mac.
Send the command to your MDM server.
Your MDM vendor will need to support the new Mac commands in order for this to work.
The LOM controller Mac receives the command and distributes them to each of the Mac Pros.
Lights Out Management for the new Mac Pro is an awesome new feature and we hope that you'll take advantage of it.
These terrific new enhancements to deployment will help you set up Macs at scale faster than ever before.
But once you have your Macs deployed, what about ongoing management? Let's start with supervision.
Supervision gives admins greater control of how devices operate.
We're making a change here that you've been waiting for.
Previously, user-approved MDM didn't have the same capabilities as automated device enrolled Macs.
Not anymore! Any Mac enrolled in a user-approved MDM will now be considered supervised.
Admins have the same special abilities, such as controlling activation lock and leveraging bootstrap tokens, just as they do if the device was enrolled using automated device enrollment.
You can query and list local users and choose to delete them, as well as replace or remove profiles and install supervised restrictions using MDM commands and schedule software updates.
We've learned a lot from managed software updates on iOS and iPadOS and we want to bring that same experience to the Mac.
There's a number of new MDM commands for software update, including forcing client Macs to accept software updates and then restart, major releases of macOS and non-OS updates can now be deferred up to 90 days, and we've made a few changes to increase security, such as the removal of the software update catalog, as well as the Ignore flag for major updates only.
Now that's the story for managed software updates, but what about apps? Managed Apps have been a terrific feature on iOS for many years, and we want to bring it to the Mac, too.
You can now remove apps using MDM commands or they can be removed upon device unenrollment.
Managed app configuration and feedback are supported just as they are on iOS and iPadOS.
And if eligible, you can convert unmanaged apps to managed using MDM.
User-enrolled devices that have managed apps installed do not support conversion.
Apps have always been the cornerstone of the macOS experience but as cool as they are, large apps can include additional components that need to be downloaded to each of your clients.
Doing that can slow things down and use up valuable time, which is why we hope you're using Content Caching to reduce internet usage while speeding up the rate of downloading of apps, books, iCloud content, GarageBand music, software updates, Xcode components, and so much more.
There are over two dozen data types supported by content caching.
We've added support for internet recovery.
The initial boot image isn't included, but the full 6 gigabyte recovery image is cached, which will restore Macs on your network faster than ever.
When we integrated content caching into macOS a few years ago, we included a new tab and activity monitor that displays key performance metrics to help you understand how your content is being used.
We're now making those metrics available to you using the new Content Caching Information MDM command.
They help you determine if content caching is turned on, working, and helping your clients download content faster.
It gives you the information about registration state, cache pressure, bytes served, and so much more.
As a developer, please resist the urge to set this command repeatedly at high frequency, as it really wasn't intended to be used like it is an activity monitor.
There's a bunch of great new features for content caching and we hope that you'll take advantage of them to speed up downloading of content to the devices on your network.
Now just as we have with deployment and management, we're also bringing a number of security improvements from iOS to the Mac.
At Apple, we strive to strike the right balance between improving security and preserving effortless deployment workflows.
Today we are introducing more things you can do with bootstrap tokens.
A bootstrap token is a reserved encryption key provided by your MDM server that enables macOS to create admin accounts without needing to authenticate with an admin password.
Historically, admins would need to create complicated workflows to create accounts on the system and then add individual user accounts.
Not anymore! Bootstrap tokens enable users to get a secure token and boot a Mac that uses FileVault.
This is a really useful feature if you used network accounts.
Bootstrap tokens improve the login workflow for mobile accounts.
Once implemented, admins can take advantage of authorized software updates and kernel extensions.
Bootstrap tokens are supported on the latest Macs with Apple T2 Security Chip.
Please review developer documentation to learn more about bootstrap tokens in your deployment.
Now let's talk about how we took measures to protect users.
You might be asked to install a profile that was sent to you in an email or one that was downloaded in a web page.
Since profiles can configure your device, we need to make sure that we don't install them accidentally from people that you don't trust.
In iOS and iPadOS, we introduced downloaded profiles.
This is where we isolate a profile that's been downloaded.
We have you install it manually by paying a visit to Settings.
It's designed to help protect customers.
We're bringing downloaded profiles to the Mac to offer the same security benefits.
When you download a profile, you'll receive a notification that you can review it in Settings.
Visit System Profiles pane and you'll see a new group labeled Downloaded Profiles.
Here you can preview the profile and click Install.
Confirm that you actually want to install it and enter your password to complete the installation.
Profiles can modify the way your device is configured and we want users to take an informed decision when installing them.
As an MDM developer, you're going to want to consider the challenges that Downloaded Profiles poses to your deployment workflows.
Once a profile is downloaded, it remains in System Preferences for eight minutes before it is removed from the System Preferences pane.
As we informed you previously, we've continued to make security enhancements that impact several command line tools that you may be using in your deployment workflows.
As of macOS Big Sur, you will no longer be able to completely install profiles using Terminal.
When you attempt to install a profile via the command line, it will treat it as if it was downloaded and you'll have to complete the install in the Profile System Preferences pane manually.
All other features of the Profiles command line tool will remain the same and continue to work as expected.
In addition to changes to the Profiles command line tool, macOS Big Sur also includes a tool called networksetup that makes it easy to view and edit your network settings using Terminal.
The problem is that admins and standard users have the same abilities to view and modify network settings from the command line.
We've now imbued these accounts types with different abilities when using the networksetup tool.
We've also hardened security by honoring the setting that requires your admin password when modifying system-wide preferences.
Here's some detail around networksetup tool.
Admins and standard users now have different capabilities.
Standard users can only read network settings, turn on and off Wi-Fi, and change the access point.
They no longer have the same unbridled capabilities that admins do.
Tick the checkbox to require your password when modifying settings and security and privacy but admins can get around this by using sudo.
There's one more significant security enhancement that you should be aware of.
Automated Device Enrollment uses device serial numbers to know which devices to enroll at activation.
Serial numbers contain bits of identifiable information like where and when the device was built.
These 12-character numbers help Apple target devices made at the same time, in the same place, to maintain quality.
To address identifiable information being used maliciously, we're going to start issuing completely random 10-character serial numbers across our product line.
As an MDM vendor, you depend on automated device enrollment and serial numbers to identify devices.
You'll need to take the new serial number format change into account within your products.
Third-party solutions must be capable of handling both the current product serial number formats and the newly-updated format at the same time.
There are a number of other new device management features, restrictions, and commands that MDM vendors can now take advantage of in macOS Big Sur.
Please consult our updated configuration profile and MDM protocol reference documentation at developer.apple.com to learn more.
It's a big year for the Mac, but the latest release of iOS and iPadOS have tons of great device management features included this year too.
From Shared iPad for Business and Temporary Session to Shortcuts now supporting Managed Open In, iOS and iPadOS have a ton to offer administrators.
Just like with Mac, we're going to focus on how admins can deploy, manage, and secure iOS and iPadOS too.
Let's start with deployment.
When time is of the essence, Apple Configurator helps you mass configure iPhones, iPads, and Apple TVs fast using a USB cable.
Apple Configurator now supports apps and books locations that are provided by Apple School Manager and Apple Business Manager.
Locations are different places where devices are kept.
For example, an institution may use a completely different set of apps and books at an elementary school than they do at a high school.
With this new feature, admins can now go to the account menu and select the location they'd like to use.
That displays an entirely different set of apps and books for each location that has been configured in Apple School Manager or Apple Business Manager.
This is a critical feature for our customers and we're excited to introduce it.
In addition to locations, cfgutil is now more scalable and can restore larger numbers of devices than ever before.
And if you didn't notice, Apple Configurator sports a brand new look in macOS Big Sur.
Now let's turn to a few more additions in iOS deployment.
Automated device enrollment enables you to customize the setup assistant to simplify MDM enrollment and device setup.
It enables you to get to the Home screen without needing to use the setup assistant.
And we're adding new skip keys for the new Getting Started and Update Completed panes in iOS 14.
We've now brought the Setup Assistant payload to iOS, although it works a little differently than on macOS.
Using the payload, you specify the same skip keys you use with automated device enrollment and then they will take effect during future upgrades.
The payload offers two benefits.
First, it allows you to skip Setup Assistant panes during an upgrade that you didn't know about when initially setting up the device.
And second, skipping the setup panes during upgrade is now possible on all supervised devices, not just those enrolled using Apple School Manager and Apple Business Manager.
I would now like to discuss one of my favorite device management features: Shared iPad.
It allows students to have a personal experience on a shared device.
Shared iPad gives schools the ability to provide each and every student with a personalized experience and their own data, even if the students are sharing iPads.
Earlier this year, we added some great new features to expand the ways in which Shared iPad can be used in different types of organizations, not only schools.
Shared iPad for Business can be configured using Apple Business Manager just as you do to configure it for students in Apple School Manager.
Employees can sign into Shared iPad using their managed Apple ID.
This is a great feature for service businesses such as restaurants where you can deploy shared devices to take orders from customers.
If you use Microsoft Azure Active Directory, your users can now sign in using federated authentication and Shared iPad now supports the new single sign-on extension too.
But wait, there's more! Shared iPad now supports dynamic numbers of cached users which allows you to set the amount of storage for each user instead of a fixed number of users.
You can also now delete all users from a shared iPad at once and we have added queries for estimated resident users and quota size.
And a highly requested feature called temporary session.
A temporary session further expands the way shared iPad can be used in different organizations by allowing a user to sign in temporarily without needing an account.
When you sign out, all the data the user created during the session will be deleted.
It's a quick and easy way for people to start using a shared iPad without a managed Apple ID.
Those are all the new deployment features we've introduced in iOS and iPadOS 14.
Now let's review what we're going to do to make managing iPhones and iPads even better.
First up is non-removable managed apps, a great new feature that admins will be excited about.
Previously, admins could completely lock the Home screen and prevent the deletion of all apps, which constrained the user's ability to manage their own apps.
Now users can continue to rearrange their apps and install new apps and delete other apps that they've installed.
And admins can mark only mission-critical managed apps as non-removable.
When your users try to delete or offload a managed app, it prevents it and displays an alert.
Non-removable managed apps ensures that your users always have the apps they need on their devices.
You can now mark specific managed apps as non-removable, which will prevent the user from removing or offloading.
Just like organizations want to be able to have some control over the apps on their employee's devices, they also want to keep a tight control over their proprietary data.
And this year, we've added several new ways to maintain that control.
Let's start with a great new iOS productivity feature: Shortcuts.
Shortcuts deliver a quick way you can get things done with your apps or with just a tap by asking Siri.
By Shortcuts supporting Managed Open In, when a shortcut triggers an action where data flow is not allowed because of the device policy, the shortcut will immediately stop running.
We do this by controlling the flow of data to make sure that managed data does not get shared with unmanaged apps and services and vice versa.
This makes certain that your organization's data does not fall into the wrong hands.
Building on preventing sensitive data from being shared, let's turn to notifications.
Organizations want to ensure that sensitive information cannot be revealed without user intent, so we've added a setting to control Notification previews to help.
It's a new key in the notification settings payload called Preview Type, which controls when previews are shown in notifications: never, always, or only after the user has unlocked their device.
The new key is only respected on supervised devices and will help your organization keep your data private and secure.
Now I have just one more management feature I would like to share with you before we move on to our security features.
Managing remote devices around the world is something that we are all becoming more familiar with.
Let's say you have employees that are located across multiple countries and some of them don't use location.
It really doesn't make a lot of sense for their devices to be configured to use the time zone of your MDM server by default.
Time management of end points is a critical function of key services.
If set incorrectly, it could cause serious problems such as authentication issues.
So we're introducing the new Set Timezone MDM command that allows you to choose the time zone for each device.
And it's not dependent on Location Services whatsoever.
Make sure you review developer documentation to learn more about how you can take advantage of this new command.
And those are just some of the new management features we are bringing to iOS and iPadOS 14 this year.
But what can we do to continue to improve the security of your devices? In this section, we will cover some changes coming this year that will impact deployment workflows as well as some new management capabilities you can use to secure iPhones and iPads in your organization.
VPN, or virtual private networks, let people send and receive data across public networks.
There are three types of VPN that iOS supports: Full Tunnel, which all traffic can flow through; Split Tunnel, which chooses which traffic can flow through it; and we've added support for per-app VPN, which only lets certain apps' data flow through it.
Today, we're going to add support for you to choose which VPN your accounts should use.
This is called Per Account VPN for iOS and it allows you to choose a replacement VPN for Contacts, Calendars, and Mail domains.
You can associate an individual account with VPN just like you can the traffic of an app.
Developers only need to replace the keys in the Domain payload to take advantage of this new feature.
Since we're on the topic of encrypted traffic, you can now encrypt your DNS too.
Most of our traffic is encrypted when we talk to a server.
But when we talk to a DNS server, those connections aren't secure.
So in addition to per account VPN, we're also introducing Encrypted DNS settings.
Encrypted DNS allows you to enhance security without needing to configure VPN.
iOS already supports the standard for secure DNS.
Now we're providing the ability to manage it via MDM as well.
Let's talk about just one more new security feature we've included this year.
Beginning in iOS 14, whenever a device associates with a Wi-Fi network, it will use a random MAC address instead of the device's true hardware MAC address.
For enterprise networks that use captive portals or filtering, the new feature may cause an unexpected behavior as the device may not be identified when it joins.
If the device fails to join the network, it will fall back to using its real MAC address.
While users can disable this feature in Settings, we've also made it possible to disable it using the Wi-Fi payload.
As there were for macOS Big Sur, there are a number of other new device management features, restrictions, and commands that MDM vendors can now take advantage of in iOS, iPad OS, and tvOS.
Please consult our updated configuration profile and MDM protocol reference documentation at developer.apple.com to learn more.
Thanks for joining me to learn what's new in managing Apple's devices at WWDC 2020.
We hope you'll take advantage of the great new features across our platforms this year.
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.