Discover the latest advancements in key device management capabilities for your organization or MDM solution. Explore the refreshed device management Settings on iOS and iPadOS, an all-new return to service functionality for macOS, and other updates to device management across Apple platforms.
Hello and welcome to WWDC. My name is Graham, and I'm here with my colleague, Nadia, and we're from the Device Management team here at Apple. This past year has seen unprecedented changes in the way we work, live, and learn. From the office to the kitchen table to the living room sofa, Apple hardware, software, and services have been there to give people the power and flexibility to do whatever needs doing. Apple platforms provide a huge opportunity for system administrators and mobile device management developers to deliver incredible apps, rich content, and powerful services to customers, employees, students, and teachers. At Apple, we believe that the balance between privacy, user agency, and administrative control is what makes for a great device management solution. And in iOS 15 and macOS Monterey, we're introducing a number of great new features across all of our platforms. With so many exciting new features to share, we've created deep dive sessions for many of them. I'd like to briefly touch on a few topics before we get into today's content, starting with changes to user enrollment. User enrollment is designed for Bring Your Own Device deployments, where the user and not the organization owns the device. This MDM enrollment type protects the privacy of personal data while still securing corporate data on the device. This year, we have some exciting improvements to data separation and user onboarding. Check out the "Discover account-driven user enrollment" session to learn more. Next, I'm very excited to share with you that Apple Configurator for iPhone is coming to the App Store, and we have a new feature for macOS automated device enrollment. You are not going to want to miss the "Manage devices with Apple configurator" session. We're enhancing the device management protocol to be more robust and performant. For a look into the future of MDM, check out the "Meet declarative device management" session. This year, we have a number of exciting software update changes for iOS, iPadOS, and macOS. See what's new in the "Manage software updates in your organization" session, where we'll discuss testing, deploying, and enforcing OS updates. Now I'd like to turn it over to my colleague, Nadia, to tell you about some very exciting new features coming to iOS and iPadOS 15 this year.
Hi, I'm excited to tell you about all the new iOS and iPadOS features for device management. This year, we've made a significant change to the way users view their managed account, the profiles installed on the device, and how VPN is configured in Settings.
VPN & Device Management have been combined together, providing one comprehensive place to display the device state. There, you can get a complete understanding of how your device is being managed. Another key component of MDM is installing apps. Many MDM vendors have an agent app that they require as part of configuring devices, or perhaps an organization has a critical app all their employees need. On supervised devices, this isn't a problem because apps install without prompting the user. However, unsupervised devices prompt for permission to install apps, which the user could then decline. Wouldn't it be great if you had more control over this? Well, now you do. Introducing Required App. You can now specify one app that you would like to be installed on unsupervised devices. We ensure user privacy is protected, since the user is consenting to the app install during MDM enrollment, and only this app will install without additional user approval. Simply add the iTunes Store ID of the App Store application to the MDM profile. Then ensure your app has a device or user license and send the InstallApplication command. Also make sure to add a managed app attribute to ensure the user cannot remove your app. Securing the flow of data between apps is also a really important consideration. Managed open-in allows you to control whether data is allowed to enter or leave the management sphere. At its most basic, it controls independently whether data can can be sent from an unmanaged app to a managed app and vice versa. And now we're making it better than ever with managed pasteboard.
A new restriction called requireManagedPasteboard controls whether copy/paste is affected by managed open-in. System apps that will honor the restriction include Calendar, Notes, Mail, and Files. All other apps require no additional changes to adopt this feature. Like usual, apps installed via MDM will automatically be treated as managed, and apps installed by the user will be treated as unmanaged. With managed pasteboard, you'll always be allowed to see the paste button. If you're not allowed to paste content somewhere due to the restriction, you'll get a "Paste Not Allowed" notification. As a side note, the organization name that appears in the notification can be modified using the OrganizationInfo Settings command. Last year, we brought Shared iPad to Business, which allows employees to have a personal experience on a shared device. Shared iPad has traditionally required the use of a Managed Apple ID, but with Temporary Session, anyone can use a shared iPad. When logging out, all data, such as Safari browsing history, modified user settings, and files added will be deleted from the device, leaving it ready for the next user. In iOS 14.5, we have introduced three new features in the SharedDeviceConfiguration Settings command. TemporarySessionOnly is to limit the ability to log in with a Managed Apple ID. TemporarySessionTimeout and UserSessionTimeout will automatically log the user out after a set amount of time, ensuring that your data is secure after a period of inactivity. Make sure to not set the timer to a value too short, and also pressing the power or Home button will cause the timer to reset. Now let's talk about some changes we've added for Apple TV. The TV Remote payload is useful for connecting specific Apple TVs with the Remote widget in Control Center on iOS and iPadOS devices. In tvOS 15, there is a new security enhancement where Apple TV will no longer broadcast Mac addresses over Bonjour. Due to this change, we can no longer prevent PIN prompts from appearing on the TV. To ensure minimal impact to your deployments, we've added a new key to the TV Remote payload. Use the new TVDeviceName key in addition to the TVDeviceID key to filter Apple TV device names in the Remote widget. This will prevent any unwanted pairing attempts from managed devices. A few other changes you will want to be aware of: all payload types within a single profile require unique payload identifiers. Additionally for unsupervised devices, the Take Management prompt for apps can be declined up to three times. After that, the device will not prompt for 24 hours. Also, we've updated a number of payload keys to use more inclusive language. Be sure to check out the updated Device Management documentation for more information.
Thanks for exploring all the incredible features with iOS and iPadOS 15. Now I'm going to hand it back to Graham to talk about all the great new features coming to the Mac. Thank you, Nadia. I think you'll agree that 2020 was a very exciting year for the Mac, from the amazing new look and feel of Big Sur to the introduction of Apple silicon. This new generation of Mac is enabling our users to do all kinds of amazing new things. And we have some great new device management features in macOS Monterey. Let's get started by talking about System Extensions. System Extensions allow for software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. We've made a few changes to the System Extension payload to enhance the management experience. In macOS 11.3, installing the System Extension payload changes the state of a system extension. For example, if a system extension is pending user approval, installing the payload will activate the extension. Conversely, removing the payload will now deactivate the system extension. In macOS Monterey, there is a new feature called RemovableSystemExtension. This will allow an app to deactivate its own system extension, for example, when the app uninstalls itself. With this feature, there will be no admin password required to remove the system extension. This may be useful in deployments where the Mac has no admin user. In macOS Big Sur, it became a requirement to reboot a Mac to modify kernel extensions. We've added a few features to make managing kernel extensions easier. First, we added an option to the RestartDevice command that tells the Mac to rebuild its kernel extension cache on reboot. This is required anytime a kernel extension is added or removed. Use the optional KextPaths key to specify kernel extensions that haven't been discovered by the operating system. This allows MDM to install an app and load the kernel extension without requiring the user to launch the app before rebooting. The new NotifyUser option will allow MDM to display a reboot notification to the user. When clicked, the user can perform a graceful restart of the Mac. The NotifyUser feature can be used outside of the context of kernel extensions, but it's especially helpful when they're combined. The AllowNonAdminUserApprovals key in the System Policy Kernel Extensions payload allows a standard user to complete the installation of kernel extensions. Note the user must perform the restart from within System Preferences or use the notification from MDM to trigger the kernel cache rebuild. Depending on the hardware, you may need a bootstrap token to complete this step. You can find out if this is required in the SecurityInfo query. Next, let's talk about apps. One of the coolest new features of Mac computers with Apple silicon is the ability to run iPhone and iPad apps. With the initial launch of macOS Big Sur, we added a new DeviceInformation query key that reports if a Mac supports iPhone and iPad app installs, and in macOS 11.3 on Apple silicon, this now returns true. Once you're ready to install an App Store app or your own in-house enterprise app, you'll need to include a new flag in the InstallApplication command to indicate that it's an iPhone or iPad app. And in the case of in-house enterprise apps, ensure the URL in the manifest points directly to an .ipa file and not a. pkg. We now support the ability to manage iOS-style provisioning profiles. This feature allows for independent management of in-house enterprise apps and provisioning profiles. Now, let's talk about some new features exclusive to Apple silicon. We are enhancing the DeviceLock command on Mac computers with Apple silicon. With this change, administrators will now be able to send a six-digit PIN, message, and phone number to the device. This will cause the Mac to reboot and present the user with the information provided, bringing feature parity across all Mac models. With remote lock in place, the user is unable to use a Mac until the PIN has been provided. Once the PIN is entered, the Mac will reboot with all data intact ready for login. While this is a great start, rebooting to recovery could allow for unintended data access or changing critical security settings. So we're adding a new feature to set a recovery password. The new SetRecoveryLock and VerifyRecoveryLock MDM commands allow you to set and verify a password that must be entered before the Mac can reboot into recovery. There are some important details that you will want to know about using these new commands. The password can only be set and removed by MDM. Therefore, if a user un-enrolls from MDM, the recovery password will be removed. The MDM server needs to know the existing password to set a new password. And finally, both the DeviceLock PIN and the Recovery Password will be removed when the Mac is erased. Therefore, we recommend using these features in conjunction with Activation Lock to provide the best security for your fleet. Now, we know you're pretty excited about these features, but we do have one last thing. Erase All Content and Settings for the Mac. New in macOS Monterey is the ability to Erase All Content and Settings for a quick return to service. And we're very excited that this functionality will be available via MDM as well. Sending the EraseDevice command will now erase all user data and reboot back to Setup Assistant, ready for the next user. A couple of notes on this feature you'll want to be aware of: This feature is supported on Mac computers with Apple silicon and the Apple T2 security chip. If the Mac has multiple partitions, it will reboot back to setup on the current system volume, and all other volumes will be erased. On devices with Apple silicon, this will also reset any security settings that have been modified in recovery. We also know that you might not want users to erase their Mac, so we're bringing the allowEraseContentAndSettings restriction to the Mac. We've covered a ton of new features today, and we're so excited for you to get your hands on them. To keep up to date with the latest changes in each seed, please review the Device Management documentation at developer.apple.com. Also remember, AppleSeed for IT helps you access and test all of these new features. Any nonstudent Managed Apple ID from Apple School Manager or Apple Business Manager can participate in the program. Along with access to pre-release Apple software for testing in your environment, it includes detailed test plans and a way for you to provide feedback. I'd also like to remind you to check out all the great deep-dive sessions. These sessions will give you even more details on all the new device management features.
From the updates to user enrollment to Shared iPad and all of the exciting new features for the Mac, we look forward to seeing you take the device management experience to the next level. Thank you, and enjoy the rest of your WWDC. [percussive music]
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.