Ivanti Blog: Posts by

Apple Business Manager Device Migration: What You Need to Know

Fri, 12 Sep 2025 17:27:33 Z

With Apple’s OS 26 release, IT admins using Apple Business Manager (ABM) or Apple School Manager (ASM) have a great new tool in their toolbelt: device migration. This makes switching devices between MDM platforms much easier, with minimal disruption for end users.

Here, we’ll unpack what you need to know, and how ABM device migration makes it incredibly easy to switch to Ivanti Neurons for MDM.

Key ABM device migration features

Apple’s new ABM device migration features make it easier to move devices between different MDM solutions, without manual steps or interrupting users.

No manual re-enrollment. You can transfer devices from one MDM server to another, or from one vendor’s MDM to another (including Ivanti Neurons for MDM), without erasing or manually re-enrolling devices. All existing user data and device configurations will automatically be applied during migration. The end user will be able to complete the re-enrollment with two guided clicks: one for restarting the device and one for re-enrollment into the new MDM.

Enrollment deadlines. This is the newest feature introduced by Apple in ABM and ASM. You can set and enforce deadlines for moving devices to the new MDM instance. If a device isn’t enrolled in time, it will be locked and the user will be asked to finish enrollment. With this deadline you will be able to trigger the automated process for re-enrollment in the new MDM. It will prompt the end user with screens to complete the re-enrollment seamlessly.

End user experience. The end user experience won't notice any changes during migration, except if the enrollment deadline has passed. Once the migration is complete, the user will get a prompt to restart the device. After the device restarts, the end user will get a prompt to re-enroll the device in the new management solution, which takes one click.

API-driven. The process can also be managed through the ABM or ASM portal using Apple’s new APIs (which you need to activate). This means that customers that use an API infrastructure can bulk assign or unassign devices with the new Apple ABM APIs without having to access the ABM console.

ABM device migration use cases

When would you use this feature? Here are a few key use cases.

Cloud migration

ABM device migration allows you to move from on-premises MDM to cloud-based MDM without re-enrolling devices. For Ivanti customers, this feature makes it easy to move to Ivanti Neurons for MDM from Ivanti Endpoint Manager (for MacOS) or Ivanti Endpoint Manager Mobile (for all Apple devices).

Switching MDM providers

ABM device migration simplifies switching from another MDM provider to Ivanti Neurons for MDM, or consolidating all type of devices (Android, Windows, Apple,) on a single platform from MDMs that only manage Apple devices, such as Jamf or Kandji.

School district device realignment

Educational institutions can realign devices between departments or campuses while maintaining all Apple management and assignment settings.

Mergers, acquisitions or reorganizations

If you’re combining or separating IT infrastructure due to M&A or reorganization, you can move devices to new MDM environments with minimal user disruption.

Setting up ABM device migration: a step-by-step guide

Before you begin

There are two important considerations before you begin:

Device migration only works on devices running iOS 26, iPadOS 26 or macOS26 (or later). Make sure your devices are updated first.
You don’t need to make any changes on the MDM server side to support device migration, but target MDM servers should be prepared to receive new device assignments and enrollment requests.

Device Migration via the ABM console

Sign in to Apple Business Manager and navigate to Devices. From here, use the search bar to find the target devices by serial number, order number or other identifiers. Then, select the devices you wish to set a migration deadline for.

Next, review the device details: Click on the device to open its detailed view and confirm that it is assigned to the correct MDM server. You can now set the migration deadline.

From here, click on Assign Device Management.

In the pop-up, you can choose the new MDM organization that the device needs to be assigned to.

Next, choose the deadline.

Select the desired date and time for the deadline. This is the final date users have to migrate their device to the assigned MDM server. If users don’t follow the prompts they’ll be locked out the device. Then, click Continue.

On the device the user will receive a notification to restart their device.

After restarting, the device will request the user to enroll in the new management service.

Device migration via APIs

Setting up ABM device migration via APIs is simple, and it’s done completely in ABM (or ASM), no matter which MDM you are switching to or from.

First, log in to your Apple Business Manager or Apple School Manager account and navigate to Settings > Device Manager Settings.

Then, review and enable the required APIs to allow device migration. (If you’re not sure how, check the Apple admin guide for step-by-step help.)

Once the APIs are enabled, you can simply follow Apple’s migration workflow to select devices and designate the new target MDM server. Optionally, you can set an enrollment deadline for migrated devices.

Additional ABM device migration resources

If you need more detailed information, you can refer to:

Apple WWDC25 Announcement of Enterprise IT Enhancements

Fri, 18 Jul 2025 14:15:25 Z

At WWDC25, Apple announced a set of updates to simplify IT management for enterprises. These updates, spread across macOS 26, iOS 26, iPadOS 26, tvOS 26 and visionOS 26, introduce practical tools to improve device, application and user management.

This article outlines the specific capabilities and how they can be applied effectively in enterprise environments.

Enhanced Apple Business Manager for flexible device management

Apple Business Manager (ABM) improvements in iOS 26, iPadOS 26 and macOS 26 bring enhanced flexibility to enterprise IT operations. Being able to migrate devices between Mobile Device Management (MDM) solutions means that businesses can react to evolving technological requirements or vendor changes without needing to reconfigure devices manually. For example, an organization switching to one of Ivanti’s on-premises solutions to Ivanti Neurons for MDM can retain operational continuity by utilizing the new ABM Device Migration APIs while aligning configurations with the latest policies.

Administrators can now enforce enrollment deadlines for Managed Apple Accounts, helping enterprises integrate new devices into their IT systems on schedule. This feature is particularly helpful for compliance with internal policies or regulatory requirements, ensuring devices are accounted for during deployments.

Enhanced onboarding processes with Account Driven Enrollments, supported by the Service Discovery API, simplify enrollment by enabling preconfigured settings to guide users through setup. This reduces time spent onboarding large numbers of employees or devices.

Organizations can also bolster account security with stricter access controls. By allowing only Managed Apple Accounts during device setup and login, enterprises can prevent personal accounts from compromising company data or workflows. Additionally, including warranty and AppleCare coverage details lets enterprises plan for the entire lifecycle of their devices, optimizing replacement or support strategies to maintain productivity while minimizing downtime.

Modernized app management with Declarative Device Management

Declarative Device Management (DDM) updates provide better tools for managing app lifecycles in enterprise environments. Administrators get granular control over app installations and updates, so you can enforce mandatory upgrades for security-critical applications or postpone non-essential updates to avoid disruptions during critical operations. Similarly, the ability to pin apps to specific versions can stabilize environments where software dependencies are tightly coupled.

Real-time reporting of app installation and update statuses offers IT teams actionable insights into compliance and troubleshooting. For instance, administrators managing thousands of devices can track which apps are outdated or whether installation errors occurred, resolving issues without delays. Furthermore, organizations managing extensive mobile fleets can restrict app downloads over cellular data to conserve bandwidth and ensure adherence to security policies, useful in industries with strict data regulations or cost-control measures.

Updates to macOS 26 let enterprises scale their device operations more effectively. Declarative Application Management lets administrators deploy apps — whether they are from the App Store or custom-built solutions — across thousands of devices simultaneously, streamlining rollouts during enterprise deployments or product launches. The ability to deploy .pkg files caters to organizations relying on proprietary software or specific configurations.

VisionOS 26 also supports deploying managed applications via DDM.

Improved Safari configuration for efficiency and compliance

Safari updates bring practical configuration tools that enterprises can use to align browser settings with organizational needs. Administrators can now preconfigure bookmarks to direct employees to relevant software tools, company websites or knowledge bases upon login, reducing onboarding times and improving workforce efficiency. You can set landing pages to match company branding and guarantee employees start their browsing sessions on compliant and secure portals, which is especially useful for maintaining organizational policies.

Better audio accessory management for shared device scenarios

For shared device deployments, such as in healthcare, education or retail, Apple’s enhanced audio pairing management introduces useful controls to maintain security while enabling flexibility. Administrators can allow temporary audio accessory pairing without data syncing to iCloud, ensuring that employee or customer data is not inadvertently retained on shared devices. For added security, pairing data can be erased automatically based on predefined schedules, such as each night.

These controls are critical for shared environments where sensitive data protection and operational continuity are key. For example, hospitals using shared iPads for patient intake can ensure that data is cleared between users while still enabling seamless accessory use for each individual session.

Platform Single Sign-On for simplified authentication

The new Platform Single Sign-On (SSO) tools in macOS 26 reduce friction during the authentication process for enterprise employees. Platform SSO can now be activated during automated device enrollment, meaning employees can immediately access managed apps, company services and their Managed Apple Accounts without additional sign-ins. This feature simplifies the device setup process for organizations onboarding large numbers of employees or contractors.

The addition of Authenticated Guest Mode benefits shared environments, such as schools or hospitals, by allowing temporary logins via organizational Identity Provider (IdP) credentials. This ensures that users can access only the resources they are authorized for, while personal data is automatically erased upon logout. This is especially beneficial in environments with transient users where data security and quick turnover are priorities.

Return to Service: streamlined device reuse

Apple’s improvements to the Return to Service workflow allow enterprises to retain managed apps during device preparation for reuse. This feature significantly reduces the time needed to prepare devices for new users in shared-use scenarios. For instance, retail organizations can erase user data while retaining critical operational apps, allowing devices to be redeployed within minutes rather than hours. Automated re-enrollment into MDM ensures that settings, restrictions and compliance policies are applied quickly and consistently.

If you have a healthcare use case, check out Return to Service features supported by Ivanti Neurons for MDM. By adding a Return to Service option on your Ivanti iOS client, your floor staff can safely repurpose devices with one click.

ManagedApp Framework for secure enterprise app configurations

The ManagedApp Framework, built on Declarative Device Management, introduces a structured approach to defining and passing configuration details to enterprise apps. This framework allows IT administrators to establish app behavior — such as server URLs, credential parameters or connection policies — tailored to specific employees or teams.

For example, an IT department can provide custom app settings for field technicians that include preconfigured server endpoints and unique digital certificates, while offering a more limited set of configurations for interns or temporary staff. The framework integrates seamlessly with features like Single Sign-On and Managed Device Attestation for secure, scalable and compliance-ready app deployments across industries. This feature requires support both from the application and from the MDM side.

Software updates changes in iOS/iPadOS/macOS 26

Apple is deprecating legacy software update management methods in iOS, iPadOS and macOS 26, and removing support in 2027 OS versions, requiring all organizations to transition to the new Declarative Management Software Update Enforcement and Software Update settings. Ivanti fully supports these new workflows, enabling automated and proactive update management. Declarative Management Updates are supported on iOS/iPadOS 17+ and macOS 14+. To prepare, customers should update their device management policies in Ivanti, configure Software Update Enforcement and settings for their devices and ensure compliance with Apple’s updated requirements—securing a smooth transition ahead of the deadline.

Key takeaways for enterprise IT

Apple’s WWDC announcements introduce meaningful improvements for enterprise IT, from streamlined device reuse to more flexible management and security controls. Using Ivanti’s endpoint management solutions alongside these new Apple features will help organizations automate deployments, ensure compliance and support diverse user needs with greater efficiency.

A Guide to Apple Declarative Device Management for Enterprises

Sat, 07 Jun 2025 13:00:01 Z

Apple declarative management introduces a shift from the traditional command-based model to a more autonomous and flexible framework. This approach aims to improve the efficiency and responsiveness of managing Apple devices.

The components of Apple declarative management — declarations, assets, predicates and status channels — work together to create a more efficient, scalable and responsive MDM framework. Declarations define the desired states; assets provide the necessary resources; predicates enable context-aware policy application; and status channels facilitate efficient communication.

Apple is deprecating legacy software updated management methods in iOS, iPadOS and macOS 26 and removing support in 2027 OS versions, requiring you to transition to the new declarative management software update enforcement and software update settings. Ivanti fully supports these new workflows for automated and proactive update management.

The shift to declarative device management

Let's explore the technical aspects of Apple declarative device management and its benefits for MDM users.

Traditional MDM operates on a command-and-control basis, in which servers send commands to devices to perform actions such as installing apps or enforcing policies. Devices then report their status back to the server, necessitating constant communication.

This frequent check-in process is needed for devices remain compliant with the organization's policies and that changes or updates are promptly applied. Without regular check-ins, administrators would have limited visibility into the device's status, making it challenging to verify compliance, deploy updates or address security issues in real-time.

Apple declarative device management utilizes a declarative format with which administrators define desired states and policies. Devices receive these declarations and autonomously enforce the desired state, reporting back to the server only when there is a change.

In this model, the device's operating system plays a critical role in making the device more autonomous. The OS continuously evaluates the current state of the device against the desired state defined by the declarations. If discrepancies are detected, the device will self-heal.

The OS independently applies the necessary changes defined in declarations and predicates to align with the specified policies. This autonomous evaluation and enforcement capability minimizes the reliance on server commands and allows for real-time adjustments, ensuring devices remain compliant even when offline or out of network range.

Key components of Apple declarative device management

Declarations

Declarations represent the desired state or configuration that an administrator wants to apply to devices. Declarations are sent to devices, which then interpret and autonomously enforce these states. The key features of declarations include:

Configuration definition: Administrators define configurations in a declarative format. This includes settings for Wi-Fi, VPN, device restrictions and more.
Autonomous enforcement: Devices interpret the declarations and apply the specified policies independently, without requiring continuous communication with the server.

Assets

In Apple Declarative Management, assets are resources used by devices to implement policies and configurations defined in declarations. These assets include certificates, data and user information.

Certificates are used for authentication, encryption and secure communication among devices and services. Administrators deploy digital certificates via declarations to enable secure access to corporate networks, email, VPNs and other resources. These certificates can be updated independently from the declarations, maintaining current security credentials without a complete policy overhaul.

Data consists of configuration files, scripts, binaries and content resources. Configuration files contain specific settings for applications or network configurations, while scripts and binaries automate tasks or add functionality. Content resources include branding materials or compliance documents. Managing data as assets allows for efficient updates and reuse across multiple declarations.

User information includes user profiles, preferences and roles within the organization. This information tailors device settings and permissions based on user roles. Dynamic data, such as location-based information or activity logs, ensures device configurations adapt to the user's current needs.

Assets are managed separately from declarations, allowing for efficient reuse and updates. When an asset is updated, all declarations referencing that asset can automatically apply the updated version.

Predicates

Predicates in Apple Declarative Management work as the conditional logic elements within declarations that define when and how specific policies should be applied to devices. Predicates are evaluated on the device itself, allowing for real-time, context-aware decision-making. They consist of logical expressions that can reference various device attributes and contextual information. When the conditions specified by a predicate are met, the corresponding policies or configurations within the declaration are enforced.

Predicates leverage the syntax and capabilities of the Cocoa programming language to define conditions under which specific policies should be applied. Cocoa predicates are expressions that evaluate a Boolean value, enabling complex logical conditions using attributes such as device type, OS version, network status and more.

Status channels

Status channels are communication pathways that devices use to report their state back to the server. Unlike traditional MDM, with which devices constantly check in with the server, status channels enable asynchronous and event-driven communication. Key features of status channels include:

Asynchronous reporting: Devices send status updates only when there is a change in their state or when specific conditions are met.
Efficient communication: This reduces the need for continuous polling, minimizing network traffic and server load.
Real-time monitoring: Administrators receive timely updates about the compliance and state of devices, allowing for prompt action if necessary.

Status channels ensure that administrators are informed of any deviations from the desired state, enabling proactive management and quick remediation.

Apple declarative device management in Ivanti UEM solutions

Ivanti keeps its products updated with the latest enhancements in the device management industry. Both our UEM cloud and on-premises solutions support declarative management.

Declarative device management is not a full replacement of the traditional MDM protocol. Therefore, solutions will present a hybrid approach, leveraging the best of both frameworks. Ivanti customers will see progressive and seamless integration of the new capabilities in our platforms as Apple also makes improvements to the framework with every new release of its operating systems.

Optimizing Apple DDM with Ivanti’s Latest Innovations

Tue, 21 Jan 2025 20:10:27 Z

The explosion in devices—particularly Apple devices—deployed across a modern enterprise is increasing the already arduous device management burden on IT and cybersecurity teams.

According to recent research, 76% of large enterprises are using more Apple devices, and 57% of US firms say Apple adoption is outpacing other options. So, it’s become crucial for more enterprises to leverage Apple Declarative Device Management (DDM) to streamline device management, automate compliance and enhance scalability.

Apple's approach to DDM was introduced in 2021 and expanded with each OS release. It’s created a fundamental shift in device management, streamlining software updates and patching. Now, IT teams can define desired states so Apple devices can self-enforce configurations and updates locally, reducing reliance on servers and manual intervention.

Thus, updates can happen faster, errors can be minimized, and end-user experiences can be improved invisibly and proactively. Which appreciably eases IT workloads while sustaining security and operational agility.

Apple is deprecating legacy software update management in iOS, iPadOS and macOS26, and they will remove support in 2027 OS versions, which means now is the time to make the switch to DDM. Let's explore how Ivanti's MDM and UEM products will enable admins to get the most out of Apple DDM.

What is declarative device management (DDM)?

DDM is an advanced approach to managing devices, primarily in enterprise or organizational IT environments. It empowers administrators to define a device or system's desired state and allows the system to automatically enforce and maintain that state.

The DDM model shifts away from traditional imperative management, where configurations and actions are centrally scripted and managed by IT administrators. That approach requires direct instructions to achieve the desired outcome on each device.

Key features and benefits of DDM

What are DDM’s advantages over a traditional device management model?

Administrators can specify the desired state or behavior of a device, focusing on "what" it should look like instead of "how" to achieve that state. For example, rather than scripting individual commands for configuring security settings, an admin can simply declare the required settings and the system will enforce them.
Devices autonomously monitor their configurations to ensure compliance with a predefined state. If a device deviates, it automatically corrects itself to restore compliance without manual intervention.
DDM proves highly effective in large-scale settings since it minimizes the need for repetitive and manual configuration tasks.
DDM minimizes the complexity of management workflows and ensures consistency across devices.
DDMs employ modern management protocols for faster and more reliable updates to device configurations and policies.
DDM is commonly implemented in cloud-based mobile device management (MDM) solutions, leveraging the cloud for synchronization, monitoring and enforcement, although it can also be implemented in on-prem solutions.
DDM reduces manual effort by automating configuration and enforcement processes.
Ensures consistency and compliance across devices, reducing the risk of human error.
Dynamic updates means quicker application of policies and settings versus traditional methods.
Changes are implemented seamlessly without disrupting the user experience.

An example DDM use case

In a hypothetical example, an IT administrator declares that all employee devices within the enterprise environment must:

Have a specific version of the operating system.

Enable encryption.

Restrict access to certain applications.

Using DDM, these requirements are automatically applied, continuously enforced and remediated if there’s any deviation.

Software updates and OS patching via Apple DDM

Utilizing Apple Declarative Device Management for software updates and operating system (OS) patching seriously improves these processes, making them more proactive, efficient and seamless. It simplifies administration, cuts down on delays and guarantees a fleet of devices is always secure and up-to-date.

Software update benefits

Centralized control with distributed execution

Administrators set configurations centrally but rely on the device's local capabilities for execution.

Proactive local enforcement

Updates are enforced at the device level, eliminating the need for constant server intervention. Admins set a desired OS version and deadline, and the device autonomously ensures compliance.
The device monitors itself, applying updates without the need for constant server communication.

Automation

Admins can configure specific versions and deadlines and update schedules (e.g., after work hours), automating the process while minimizing end-user disruption.
For example, a critical security patch can be scheduled for a particular time, ensuring all devices are updated without user intervention.
If a device is powered off and misses the update deadline declarative management reschedules the update automatically for a later time.

User notification and experience

Notifications begin 14 days before the deadline, reminding users to update at their convenience. On the deadline, the device automatically reboots and installs updates if necessary.
Admins can customize these notifications or suppress early reminders (e.g., for retail or healthcare environments).
Admins can configure the level of user interaction allowed by Apple DDM, such as permitting manual updates before the enforced deadline or limiting user deferrals.

Faster updates with reduced network dependency

Unlike traditional MDM, where the server continuously checks device status, DDM reduces latency by shifting the compliance mechanism to the endpoint.

Enhanced status reporting

Devices proactively report the status of updates to the server including whether an update is in progress, completed successfully or failed. In case of failure, detailed error logs are available.

OS patching benefits

Predicates for context-aware updates

DDM allows conditional rules (predicates) for updates, such as only applying a patch when a device is charging or has a battery above 80%.
These conditions are evaluated locally on the device, making updates context-sensitive and efficient.

Seamless transition to new OS versions

DDM automatically manages the transition to new OS releases or security patches without requiring manual admin oversight at each step.

Local action without internet

Devices can enforce configurations and patches even when offline, applying updates based on preloaded criteria and activating changes when conditions permit (e.g., when connected to power or during off-hours).

Another practical use case

In an organization with 1,000+ iPhones and MacBooks, a zero-day vulnerability requires immediate patching. The solution?

The admin declares a patch deadline and target version using Apple DDM.

Devices enforce the update based on local predicates, ensuring the patch is applied under optimal conditions (e.g., during low battery drain times).

Users receive notifications prior to the update so they’re informed without interrupting workflows.

Ivanti’s declarative management support

Ivanti’s declarative management support builds on Apple’s Declarative Device Management (DDM) framework to offer a seamless, proactive and efficient approach to managing Apple devices. What are some of its key components?

Integration with Apple’s DDM framework

Ivanti utilizes Apple’s DDM as an enhancement to the existing Mobile Device Management (MDM) protocol – not a complete replacement but an additional layer designed to:

Automate device responses: Allow devices to enforce configurations and policies locally, reducing reliance on the server for continuous checks.
Enable real-time proactivity: Devices can autonomously apply updates or configurations when predefined conditions (predicates) are met.

Software update enforcement

Ivanti's platform supports Apple’s declarative software update management, which introduces:

Enforcement settings: Administrators can specify OS versions, deadlines and update schedules.
Proactive local actions: Devices monitor themselves and apply updates without requiring manual input or waiting for server-side triggers.
Improved communication: Devices report their update progress, success or failure directly to the Ivanti management server, providing admins with real-time visibility.

Predicate management

A standout feature of Ivanti’s support is its handling of predicates – logical conditions that devices evaluate before applying configurations or updates. For example:

A policy applies only if the device’s battery is above 80%.
A configuration activates when the device is charging.

Simplified predicate management in Ivanti’s console

Ivanti provides a dedicated interface for creating, managing and reusing predicates across configurations.
These predicates can be easily applied to declarative configurations, streamlining complex workflows.

User experience and notifications

Ivanti enhances the user experience by leveraging Apple’s notification capabilities:

Notifications can start 14 days before the update deadline, with options to tailor their frequency and content.
Critical updates can override user deferrals by enforcing reboots and updates at the scheduled deadline.

Past-due handling

If a device misses the deadline (e.g., turned off), Ivanti reschedules updates automatically ensuring compliance.

Supported configurations

Ivanti ensures backward compatibility and a smooth transition to declarative management by supporting both legacy MDM and newer DDM configurations.
Existing policies and workflows continue without disruption.
Declarative configurations (e.g., predicates and local enforcement) are gradually integrated and highlighted within the platform.

Related: Watch the webinar Mastering Apple Device Management with Ivanti

Ivanti’s guidance for updating and patching Apple devices with declarative device management

Ivanti’s approach to supporting Apple DDM leverages the proactive capabilities of Apple's declarative management framework, combining it with a user-friendly interface, automation and support for complex enterprise workflows. This comprehensive guidance enhances enterprise device management efficiency and security.

Enforcing updates and patches

Automated scheduling lets admins enforce updates by specifying the target OS version along with a specific date and time for the update to occur. This eliminates the need for manual updates and ensures compliance with organizational policies.
Devices enforce update enforcement locally, applying updates based on preconfigured conditions without relying on continuous server communication.

Managing user notifications

Notifications are sent to end users starting 14 days before the update deadline, providing transparency and encouraging users to update at their convenience.
For specific use cases such as retail or healthcare, flexible notification configurations let admins suppress early notifications and opt for last-minute alerts to minimize disruption.

Improving compliance and visibility

Devices proactively report their update status to the Ivanti server, reporting whether updates are in progress, completed successfully or failed. Administrators also gain access to detailed error logs to troubleshoot issues.
If a device misses the deadline (e.g., if it is powered off), the device automatically reschedules the update for the next available hour.

Using predicates for conditional updates

Administrators can define predicate logic for when updates should be applied.
Since conditions are evaluated locally, updates can happen even when the device is offline.
Ivanti provides tools for creating, managing and reusing predicates across configurations, making conditional updates simpler and easier to implement.

Enhancing user experience

End users get clear communication about the update schedule, including the enforced deadline. They have the option to install updates manually before the deadline to avoid automatic enforcement.
Updates can be scheduled during off-hours to minimize disruption of the user's daily activities.

Streamlining patch management

Ivanti supports declarative patch management -Apple system updates.
Administrators can enforce updates, including critical security patches, ensuring devices remain secure and compliant.

Related: Read our Knowledge Base article on How to enforce Apple Software Updates with Neurons for MDM and EPMM

A standout approach to supporting Apple DDM

Ivanti's approach to Apple Declarative Device Management stands out because it extends an organization’s automation, local enforcement and proactive capabilities.

Administrators benefit from user-friendly tools, customizable notifications and detailed status reporting, while end-user disruption is minimized through scheduled updates and seamless workflows. With Ivanti, Apple DDM becomes even more efficient, secure and scalable for the organizations that rely on it.

Related: A Guide to Apple Declarative Device Management for Enterprises

WWDC 2024: What IT Admins Need to Know About Apple’s Announcements

Mon, 05 Aug 2024 08:00:00 Z

Apple's announcements at this year’s Worldwide Developers Conference have surprised everyone with new capabilities designed to make the IT admin's life easier for managing and securing devices.

As we expected, Apple kept expanding declarative management configurations and capabilities for securing iPhones and iPads and robust management of macOS in the enterprise. There was also a significant emphasis on device management for Apple Vision Pro, adding the ability to enroll visionOS devices via automated device enrollment. Also, there were new configurations and commands announced that will be supported by MDM, which will make the enterprise use cases more robust.

Here are the main announcements in Apple Business Manager, iOS18, macOS15 and visionOS 2.0 that IT admins should be aware of:

General WWDC announcements

Apple Intelligence

Perhaps the biggest announcement from Apple this year was Apple Intelligence, the new AI introducing Writing Tools, Smart Reply, Reduce Interruptions, Image Playground, etc. Apple Intelligence runs on-device and in Private Cloud Compute, which does not store customer data and protects user privacy. For certain requests, Apple Intelligence has been integrated with ChatGPT.

Apple has shared that MDM restrictions will be available for Apple Intelligence, including the ability to restrict Siri, Writing Tools, Image Playground, and the ChatGPT integration. IT teams will be able to choose which restrictions best fit their organization.

Refer to your Appleseed for IT developer program for more information and updates on what's new for IT.

Apple Business Manager

For customers leveraging Apple Business Manager, they will be able to take advantage of new capabilities that streamline some operations.

First, Apple has been pushing to move enterprise use cases to adopting managed Apple IDs instead of Apple IDs. Apple IDs are now called Apple Accounts, and Managed Apple IDs are called Managed Apple Accounts.

Apple has released a new process to streamline the recognition of the domain so customers can seamlessly convert Apple Accounts to Managed Apple Accounts with low impact on end users. Any Apple Account using a corporate domain can be set to migrate automatically to a managed account. The end user will need to accept this migration. If the end user doesn't accept migration after 30 days, the account will be automatically transformed into a managed account, and the personal Apple Account will be renamed.

The second feature specific to Apple Business Manager is the ability to manage Activation Lock on devices that are in an organization’s Apple Business Manager account. Previously, when a device was locked and retired from MDM, the only way to repurpose the device was to call Apple service. Now, if the device is enrolled in Apple Business Manager, the IT admin can unlock the device directly from the Apple Business Manager page.

Lastly, Apple has added the new Apple Vision Pro to the devices that can be onboarded by organizations via automated device enrollment. This new feature will allow devices to be supervised during activation and will simplify the initial device setup.

Software update enforcement enhancements

Last year, Apple released new software update enforcement with the ability to set a deadline for all devices to upgrade to a specific version. In this workflow, the end user receives notifications starting 14 days before the deadline. This year, Apple has moved the existing management controls over to declarative device management to give the IT admin much more detailed command over the behavior of the update, similar to what the admin had in the previous model.

IT admins can control:

Automatic software update behavior.
Rapid Security Response behavior.
Deferral of software updates (one to 90 days).
Whether local administrator authorization is required to update macOS.
Enrollment into beta programs (support for macOS later this year).
Default notification behavior when enforcing software updates.
Visibility (recommended cadence) of software upgrades (iOS and iPadOS only).

These new settings are meant to be a complete replacement of the previous workflows for software updates via MDM.

Streamlining OS beta testing in the enterprise

For customers with rigorous beta testing for each new OS version from Apple, Apple has released an easier way to manage the installation of versions on devices. Enrolling devices into the beta program and controlling the upgrade behavior for those devices can be streamlined and updated as needed.

First, all devices will need to leverage a feature released last year to allow for automated device enrollment into the beta program. Now, with this year’s release, all the Software Update settings will also be applicable for those devices in beta versions.

Safari extensions managed via MDM

For a long time, IT admins have been asking for a way to manage and approve Safari extensions to improve the user experience when opening domains. In this release, Apple has made available a new payload that allows or excludes some domains for Safari extensions.

iOS and iPadOS

Cellular networks updates

As with last year, Apple continues to make cellular networks more flexible and robust for customers. Last year, we saw more flexibility in configuring private networks for eSIM devices and creating specific slices on cellular bandwidth for dedicated application network traffic. This year, Apple has added the ability to support multiple private networks and leverage cellular slicing at the per-app VPN level.

New eSIM management keys include the ability to preserve the eSIM information even when the end user wipes the device and the ability to set up an eSIM with a link or a QR code on the device.

App Management Security

Apple added a feature for end users to hide or lock an application. This means the application will require Face ID, Touch ID or a passcode to open and can be hidden from the home screen. Apple will release application-level controls to configure these options via MDM.

Starting with iOS 18, proprietary in-house apps manually installed without using MDM will require a device restart to complete the trust of the provisioning profile.

macOS improvements

More flexible management via MDM

In macOS 14.5, new management tools have been released to manage files via MDM. These include sshd, sudo and PAM.

In macOS 15, executables, scripts and launched configuration files can be installed using MDM and are stored in a secure and tamper-resistant location, similar to service configuration files introduced last year. This provides an easy way for organizations to deploy and control managed services.

Better user experience during authentication

Authenticating via passwords is always problematic in the enterprise, as users forget passwords and devices get blocked. Leveraging new improvements to the platform, single sign-on and extensible single sign-on with Kerberos, Apple is simplifying the authentication process for enterprises while providing secure access and streamlining the authentication process for the end-user. New login policies are available via FileVault, login window and lock screen.

More security via disk management configuration

In the last release, Apple deprecated the media restriction payload. This year, Apple announced a new declarative device management payload to manage external and network storage. This new disk management configuration will define the mount policy to allow, disallow, or set volumes to read-only, making access to external storage secure and robust.

Apple Vision Pro improvements

In the visionOS 1.1 release, enrolling devices into MDM required devices to be registered via Account-Driven Device Enrollment or Account-Driven User Enrollment using a Managed Apple Account. With the announcement of visionOS 2.0, customers will be able to enroll devices via Automated Device Enrollment, allowing them to be supervised and simplifying the initial device setup. Another important improvement is the addition of more commands and payloads for visionOS management, including configurations such as device lock, activation lock, passcode management and others.

Additionally, Apple released a new set of APIs for visionOS application developers aimed at enhancing the enterprise use case. These new APIs will allow applications to integrate live feeds, screen sharing and QR code scanning, enabling new use cases for support teams to assist remotely with tasks and requirements.

While the most significant and impactful capabilities released by Apple center on Apple Intelligence, it's clear Apple is also making substantial progress in enhancing enterprise use cases by simplifying the adoption of Managed Apple Accounts for enterprise customers; introducing more granular controls for a robust macOS management experience; and expanding Apple Vision Pro support for Automated Device Enrollment and other enterprise use cases.

How MDM Can Help Manage the Apple Watch at Work

Mon, 03 Jun 2024 15:45:53 Z

The Apple Watch has emerged as more than just a personal device. It's a tool that can enhance productivity, streamline communications and bolster security for organizations across various industries. With increased usage comes the need to manage these devices effectively and securely. This is where MDM steps in as a critical solution.

Ivanti Neurons for MDM solution provides IT administrators the tools necessary to manage, secure and optimize the use of Apple Watch within their organizations. From enforcing security policies and managing configurations to deploying apps and monitoring device performance, MDM ensures that Apple Watch is used efficiently and safely in the workplace.

As businesses increasingly rely on wearable technology to support their operations, understanding the importance of MDM in Apple Watch management becomes essential. Let's explore why MDM is crucial for managing Apple Watch and how it can benefit your organization.

How workplaces can use MDM for Apple Watch

Ivanti Neurons for MDM can significantly benefit organizations and individuals managing multiple devices. Deploying Apple Watch in an organization requires careful planning and execution. MDM simplifies this process by supporting various deployment models and ensuring that devices are properly paired and configured with necessary policies and applications from the start. This streamlining helps scale up deployment without significant administrative overhead.

Here’s how Ivanti Neurons for MDM can assist:

Enhanced security: MDM allows administrators to enforce security policies on Apple Watch devices. This includes requiring passcodes, enforcing encryption and remotely wiping the device in case of loss or theft, ensuring sensitive data remains secure. This enables secure data exchange and communications, whether through emails from clients, application updates or calendar entries. Security measures also include features like biometric authentication.

Centralized configuration management: MDM enables centralized management of Apple Watch settings and configurations. Administrators can remotely configure Wi-Fi, VPN, email and other settings, ensuring that devices are properly configured for organizational use and compliance requirements.

Efficient app deployment and management: MDM facilitates the deployment and management of apps on Apple Watch devices. Administrators can remotely install, update or remove apps, ensuring that users can access the necessary tools and resources to perform their tasks efficiently. Employees are empowered with access to essential information and tools directly on their wrists. Workers in service stations or retail stores can receive app notifications from the managed apps distributed to them via Ivanti Neurons for MDM.

Remote monitoring and troubleshooting: MDM lets administrators remotely monitor Apple Watch devices for compliance with security policies and detect any issues that might arise. They can troubleshoot problems remotely, reducing the need for in-person support and minimizing downtime. Whether employees are working in remote construction sites, field research locations or outdoor facilities, they can receive support for their devices remotely.

Activation lock and device control: MDM enables features like Activation Lock, which helps prevent unauthorized access by ensuring that a lost or stolen Apple Watch remains locked to the user’s account. This feature, coupled with the ability to remotely lock or wipe devices, gives organizations greater control over their assets and enhances overall security.

Comprehensive inventory management: MDM provides administrators with visibility into their Apple Watch inventory, including information such as device model, serial number and software version. This helps organizations keep track of their assets and ensure compliance with licensing requirements.

Key considerations for Apple Watch deployment

Organizations must keep a few important points in mind when planning Apple Watch deployment:

Apple Watch needs to be paired with a supervised iPhone.
The supervised iPhone must be enabled with Declarative Management.
Apple Watch management is supported with watchOS 10 and later.
Before pairing Apple Watch to iPhone, an Apple Watch Enrollment token must be distributed to the iPhone.
Apple Watch management supports iPhone apps, companion apps and standalone apps. Depending on the type of apps your users need, your organization must plan accordingly.

Ivanti Neurons for MDM is an essential component of managing Apple Watch in a professional setting. It not only enhances security and compliance but also ensures that the devices are effectively supporting the organization's operational goals. As wearable technology continues to evolve, the role of MDM will only become more significant in leveraging the full potential of Apple Watch in the workplace.

Upgrade to Windows 11 with Ivanti Neurons for MDM

Fri, 12 Apr 2024 04:00:03 Z

With support for Windows 10 ending on Oct. 14, 2025, users are faced with deciding how and when they wish to upgrade to Windows 11. Since some old devices won’t be able to upgrade to Windows 11, new devices must be purchased.

Administrators should start evaluating the transition to Windows 11 by upgrading their current fleet or evaluating a device refresh that will come with Windows 11.

Ivanti Endpoint Management (EPM) customers will be able to start imaging those devices at the push of a button with the new features in Ivanti’s cloud-based Modern Device Management (MDM).

Your organization might be ready to upgrade to Windows 11 or need to plan for it. Ivanti technicians can help upgrade the devices at your own pace. You can block Windows 11 updates or target a configuration and proceed with the upgrade.

Let’s analyze some of those challenges and how Ivanti Neurons for MDM helps streamline the process with minimal end-user impact.

Upgrading to Windows 11

For starters, this Windows upgrade introduces a broad set of capabilities and controls that can take much longer to install, for many reasons. More importantly, each update introduces a new set of potential compatibility and reliability problems.

While some updates are small and might not be noticed during installation, others are quite large and can take a while to install. In an enterprise environment, this can disrupt end users. Windows 11 added not only new features end users can enjoy, but also security and performance improvements that make the transition even more challenging.

Remotely targeting only Windows 11-compatible devices can minimize upgrade failure. In Ivanti Neurons for MDM, you can specify where you’d like your Windows 11 upgrades to come from — WSUS or Windows Updates. In our recent release, we’ve added the ability to choose sources for each Windows OS update type: feature updates, quality updates, driver updates and other Microsoft updates. Every device will connect to the corresponding source and report the applicable version of the upgrade.

For a device to report on the applicable Windows 11 versions, in this latest release we’ve added the Product Version field. Here, customers must specify the 11 version for the device to know that it needs to upgrade, instead of just keep updating Windows 10 patches.

Once devices start reporting the Windows 11 version, Ivanti Neurons for MDM platform will scan them and present them in the Windows Update page so our admins can approve the upgrade. Devices not eligible for an upgrade due to system or software incompatibility will automatically be left untouched and not report incompatible versions.

Follow these steps

Manage Windows 11 Upgrades at your own pace: Microsoft recently announced that Windows 11 upgrades will be offered to all unmanaged Windows devices. Having end users upgrading to Windows 11 could create plenty of issues – and many helpdesk tickets.

When Windows devices are managed with Ivanti Neurons for MDM, Windows 10 devices will only get Windows 10 updates, unless you specifically target the Windows 11 upgrade for your fleet. Using our Software Update configurations will give you granular controls over the upgrade process, schedules, reboots and notifications.

If your organization doesn’t have a good way to manage Windows 11 upgrades and is concerned about devices being upgraded by end users directly, Ivanti Neurons for UEM for Windows might be a good fit for your organization.

Customize upgrades with low end user impact: Ivanti Neurons for MDM provides a complete set of functionalities to customize the upgrade's behavior. Customers can schedule, differ and pause the updates and configure the level of notifications the end user will get before the upgrade. These controls are very granular, letting administrators choose different behaviors for each update type: feature, quality, driver and others.

For instance, with Ivanti Neurons for MDM, you can provide off-hour windows to make sure upgrades are downloaded without impacting your end users. Administrators can also configure the ability for end users to upgrade on their own schedule.

Roll out Windows 11 Copilot AI at your own pace: Copilot in Windows provides centralized generative AI assistance to users, appearing as a sidebar docked on the Windows desktop. Since users could copy and paste sensitive information into it, organizations must properly configure the chat provider platform for Copilot in Windows. With Ivanti Neurons for MDM, you can create configurations for different device groups and enable Copilot after testing. Administrators can choose upgrade to Windows 11 while having Copilot disabled for all devices and enabling it in phases later by device group.

Image your start menu and task bar for Windows 11: Another challenge users face when planning their Windows 11 upgrade is the change in the user interface. Windows 11 has a new start menu at the bottom of the screen instead of on the left; the task bar differs, too. With the changes recently rolled out in Ivanti Neurons for MDM, administrators can create images targeted for Windows 11 devices. As soon as devices get upgraded, the new Windows 11 start menu and task bar image will be pushed to the devices.

Track upgrades and troubleshoot remotely: After the device has been configured with the Windows Software Update configuration, every device will report the applicable versions and start updating according to the specifications or will wait for administrator approval. Administrators can approve any Windows 11 updates reported by the device and have visibility into which devices are eligible, pending upgrade, upgraded or failed. They can also create charts on the dashboard to track adoption of the Windows version deployed to the endpoints.

Automate enrollment of newly refreshed Windows 11 devices via Ivanti Neurons for UEM: Many firms are deciding to start a device refresh process of their fleet, instead of trying to jump through all the hoops required to upgrade existing devices. As companies work with their distributors to purchase and ship devices to their end users, they need to plan for the most efficient way to image and provision Windows 11 compatible configurations and applications.

One way is via Autopilot enrollment. Ivanti Neurons for MDM provides the easiest way to image and provision devices with the OOBE via Autopilot, automating the setup of the devices and the installation of application. With the previously described features, administrators can tailor the policies to Windows 11 images and applications compatible with this new operating system. Ivanti Neurons for MDM supports Autopilot without incurring additional MDM user license costs.

On the other hand, if you are using any other agent-based Windows Management solution, you can automate the enrollment via Ivanti Neurons UEM Deployment Package. Via the agent, push a deployment package to devices and enroll them seamlessly, with no end user impact, into Ivanti Neurons for UEM and start managing your Windows 11 upgrades.

Know before you upgrade

Follow these suggestions to make your transition smooth:

Windows 11 has specific system requirements. Make sure your fleet meets these requirements for your devices to be eligible for upgrade.
Windows 11 requires Secure Boot be enabled. Secure Boot is designed to prevent malicious software from loading when a PC starts. Most modern PCs are capable of Secure Boot, but in some instances, there may be settings that cause the PC to appear to not be. Check with your device manufacturer for support on Secure Boot. Ivanti has partnered with Lenovo to configure Secure Boot via Configurations.
Windows 11 has over 1,000 new management controls to make it easier to move away from older management systems like Group Policy.
Windows 11 is built on the Windows 10 code base, so it is natively compatible with the software and solutions used today. However, some solutions might work differently in Windows 11 or have different requirements. Create a pilot device group to test the Windows 11 upgrade, security solutions and new configuration before rolling it out to the larger population of devices.
To leverage the Windows Autopilot features, Ivanti Neurons for MDM needs to be integrated with a Microsoft Entra environment.

What IT Administrators Want to Know About Apple Vision Pro

Mon, 11 Mar 2024 15:59:25 Z

Apple’s release of Apple Vision Pro on Feb. 2, 2024, sparked widespread anticipation among tech enthusiasts worldwide. Even more among enterprise customers when Apple announced MDM management capabilities in visionOS 1.1.

Apple Vision Pro lets users interact with apps while remaining connected to their physical surroundings or immerse themselves entirely in a virtual environment of their choosing. This flexibility opens infinite possibilities for personal and enterprise applications, fundamentally transforming the way we experience computing.

For enterprises, Apple Vision Pro features present opportunities across various use cases, including productivity and collaboration with the device's infinite canvas to access and multitask seamlessly and collaborate on projects in real-time; remote training, allowing instructors to guide trainees through simulations and hands-on tasks from anywhere in the world; guided work to display contextual information such as equipment manuals, safety procedures or troubleshooting guides, enhancing workers' understanding and performance; and even co-design sessions, where engineers immerse themselves and visualize, review, and iterate on designs together.

In response to growing demand for enterprise-ready solutions, Apple also introduced Mobile Device Management (MDM) controls for Apple Vision Pro. The developer beta of visionOS 1.1 lets MDM developers test configurations for enterprise networking (Wi-Fi, VPN, per-app VPN), single sign-on, restrictions, identity certificates, managed app installation and more, ensuring the security of the data and seamless integration into existing IT infrastructures.

Apple Vision Pro has the security and privacy features expected for an enterprise-grade device. Apple introduced biometrics like Touch ID and Face ID to iPhone, iPad, and Mac; now, Apple Vision Pro includes Optic ID, which provides authentication via iris recognition. Apple’s M2 processor and Secure Enclave protect Optic ID data, and provides the encryption and security enterprise customers expect.

Some highlights on the ability to manage Apple Vision Pro are:

MDM Enrollment: Management of the Apple Vision Pro requires registration via account-driven Device Enrollment or account-driven User Enrollment with a Managed Apple ID. Apple has stated that Automated Device Enrollment, adding devices to Apple Business Manager or Apple School Manager, and supervision are not supported at this time.
MDM Configurations: MDM payloads and declarative device management are both supported for applying configurations to Apple Vision Pro, ensuring comprehensive management capabilities for enterprise deployments.
App Deployment: Apple has announced over 1,000 spatial apps built for Apple Vision Pro and more than 1 million compatible iOS and iPadOS apps. Apps can be deployed using MDM, similar to other Apple devices. Native visionOS apps are not in the volume Apps and Books store yet, but compatible and in-house apps can still be deployed.
Additional Management: Apple Vision Pro will support gathering inventory data, and can be remotely erased in case it goes missing. The management model is similar to iPhone and iPad, and Apple has taken the same approach with Apple Vision Pro.
Integration: Apple Vision Pro seamlessly integrates with IT systems, like corporate Wi-Fi networks, VPN, email, identity providers, and cloud storage providers. Plus, Apple Vision Pro offers compatibility with other Apple services and devices out of the box.

At Ivanti, we are dedicated to enabling our customers with the tools to support all enterprise use cases. Our goal is to empower our customers with tailored solutions, driving productivity and innovation. Stay tuned for updates on MDM compatibility and support in our Ivanti UEM solutions, designed to seamlessly manage Apple Vision Pro devices.

WWDC23: What IT Admins Need to Know to Manage Apple Devices

Tue, 25 Jul 2023 19:51:36 Z

Apple’s annual developer conference, WWDC, is a firehose of information for anyone who manages Apple devices.

New operating systems (notably iOS 17, iPadOS 17, macOS 14 and watchOS 10) and new products (15-inch MacBook Air and Apple Vision Pro) might have dominated the headlines, but WWDC23 also brought a host of no less consequential new capabilities for enterprise device management.

So what should IT admins pay attention to in the lead up to this fall’s OS updates?

A big step forward in declarative device management

Apple introduced declarative management in 2021 as an extended functionality to the MDM protocol, and this year they continued the trend of releasing configurations that can coexist on MDM and declarative management at the same time as part of a gradual transition. Apple has announced a transition path from today’s MDM protocol to declarative management, which will make the changeover seamless for end users.

What’s new this year is that Apple is also releasing features that can only be supported via declarative management – passkeys and Apple Watch management. Ivanti’s UEM products will support declarative device management, and therefore these new features, in the next few quarters.

Simpler device enrollment – for IT and for end users

Getting rid of manual processes is a clear theme for the device enrollment enhancements released this year.

Return to service, a new capability for bringing devices back into management, lets IT admins send a command to erase and then re-enroll a device automatically – a process that until now was manual. This feature is particularly useful for devices without dedicated users that need to be remotely reconfigured without manual intervention, for example an iPad that needs to be reset after a patient is discharged from a hospital.

Account-driven device enrollment (an enhancement to account-driven user enrollment, which is already available) enrolls devices automatically when users sign in with their work or school account, rather than requiring the user to install a profile manually. Eliminating this extra step can streamline device onboarding.

On the topic of device enrollment, Setup Assistant also saw enhancements worth paying attention to: the ability to restrict enrollment to devices that meet minimum OS requirements, and the ability to configure FileVault during setup. These features let companies ship devices directly from the supplier to the end user without needing a manual setup to ensure basic security features are in compliance.

Easy end user authentication for a better end user experience

Updates to Managed Apple IDs give organizations access to a range of improved authentication features that make it easier for end users to access their devices and services. Managed Apple IDs now include support for iCloud Keychain, Apple Wallet, and access management controls that enable organizations to restrict access to specific services and dictate the management state of a device when a user signs in. Additionally, passkeys can now be synced across managed devices for an even more secure authentication experience.

Platform single sign-on (SSO) now lets you create local user accounts on a shared Mac using credentials from the Identity Provider (IdP).

Finally, Managed Device Attestation is now available on macOS and offers strong assurances about the security posture and properties of a device.

Useful updates to device and application connectivity

For an alternative to VPN, you can now use a new built-in relay to secure traffic using an HTTP/3 or HTTP/2 tunnel. The configuration is domain-based and can be applied to managed apps, domains, or the entire device.

Apple has also expanded 802.1X support for Ethernet, which previously was only supported for macOS, allowing you to connect an iPhone, iPad or Apple TV to a restricted network that requires authentication without needing to rely on WiFi.

Finally – private network and network slicing support

Long-awaited support for private 5G and LTE networks is finally here for iOS 17 and iPadOS 17.

Administrators can activate private SIMs automatically when a device enters a geofence in order to prioritize cellular over Wi-Fi.

And with 5G network slicing, mobile network operators can customize traffic through a 5G standalone network with specific quality-of-service requirements for network latency, throughput and packet loss.

Discovering new use cases for wearables in the workplace?

Apple Watch is newly supported as a managed device. An Apple Watch that is paired to a Supervised iPhone can now be enrolled and managed with watchOS 10 – with the very important requirement that declarative management configuration must be enabled.

Planning ahead for this fall’s OS updates

Ivanti is actively testing the betas of iOS 17 and macOS 14 to make sure you can take advantage of these new features for a better end-user experience and streamlined IT processes.

Look out for communication on compatibility as we plan for day zero support for Ivanti products.

Windows 11 22H2 and Ivanti UEM: The New Features Enterprise Users Should Know

Thu, 22 Sep 2022 19:10:06 Z

The Windows 11 22H2 release demonstrates that Microsoft is embracing the Everywhere Workplace, with new features and capabilities to support remote workers and BYOD deployments.

What enhancements should IT admins pay attention to? These are the features worth taking advantage of – and since Ivanti UEM solutions support devices on Windows 11 22H2, customers can roll out the latest OS to their whole fleet from day zero. Stay tuned for updates on support for new management features.

Productivity enhancements for end users

These collaboration and productivity features – many of which employees can personalize to their liking – are particularly useful for employees working remotely or while in transit.

Group apps into a folder on the Start menu. Employees can also personalize the Start menu to add more apps or recommendations.

Add and view favorites on the File Explorer home screen. File Explorer tabs help organize content to quickly switch between multiple projects.

Avoid distracting notifications. Focus assist is set by default to activate automatically under certain conditions. Employees can adjust and extend focus time from the Focus Assist settings on the taskbar.

Improve video and audio calls with Windows Studio Effects.

Make Teams meetings more accessible. Live captions make video meetings easier to follow.

Security enhancements for IT

IT teams are acutely aware of the security threat posed by unmanaged devices and access to corporate data from personal computers – but they also need to accommodate employees’ expectations to be able to work from their device of choice. Many of the security enhancements in the latest Windows 11 release take aim at closing that gap between employee experience and security requirements.

Windows Defender Credential Guard is now enabled by default with Windows 11 Enterprise, providing virtualization security to protect against credential theft.

Credential isolation with Local Security Authority is also enabled by default, providing extra protection to new enterprise-joined Windows 11 devices.

Hypervisor-protected code integrity is also enabled by default on all new Windows 11 devices.

Microsoft Vulnerable Driver Blocklist safeguards against advanced threats and ransomware attacks.

Configuration Lock for Secure Core PC lets IT lock down security policies so they can’t be changed inadvertently, closing the window of opportunity for an attacker. IT can set monitor settings to ensure that devices comply with company security policies and automatically revert changes immediately.

Smart Apps Control identifies trustworthy apps using threat intelligence signals and only allows processes to run if they are predicted to be safe, perfect for BYOD devices or small businesses. (Enterprise customers can use Windows Defender Application Control or AppLocker).

Enable passwordless authentication with Windows Hello for Business and a unique identifier, such as a biometric element.

Enhanced Phishing Protection in Microsoft Defender SmartScreen detects difficult-to-observe password phishing attacks and takes immediate action to prevent further compromise, informing employees right away that they need to change their password and automatically alerting IT of the incident.

Windows Autopatch keeps Windows, Microsoft Edge and Office deployments up-to-date and optimizes secure productivity.

Windows 11 in-product messages let IT communicate targeted information to the end user, for example providing direction during device setup in the Get Started application or sending messages to the lock screen or desktop.

Learn more about Ivanti UEM

To learn more about how Ivanti UEM solutions support modern management and BYOD use cases, visit the Ivanti Neurons for UEM for Windows Device Management page or download the detailed datasheet.

What's New in Ivanti Neurons for Mobile Device Management?

Mon, 02 May 2022 18:25:13 Z

The latest release of Ivanti Neurons for MDM includes enhancements for managing COSU devices and transitioning to cloud-based device management.

Provide extra security and support for your Android COSU devices

Corporate-owned single-use (COSU) devices are dedicated for a single use, and Android Enterprise's capabilities can help configure those devices to best serve that purpose. Use cases for COSU devices include:

Point-of-sale (POS) systems in retail.
Handheld barcode scanners in supply chain.
Smart panels (such as information kiosks, timecard entry panels, physical access entry panels, etc.) across a number of industries, including healthcare, retail and manufacturing.

These locked-down devices can be dedicated to a single user, multiple users or external users. The Android Enterprise COSU configuration provides more control over how your staff and customers use the device by compartmentalizing the operating system to deploy in a locked-down environment, running a single application or a specific set of apps. Usually, one application is intended to run on the device and that’s all. COSU improves security, efficiency, processes, compliance and user experience by locking devices down to execute a small range of specific tasks.

With the latest release of Ivanti Neurons for MDM, several new features have been added to better secure and support your COSU devices.

5G slicing support

With more COSU devices deployed in remote locations, 5G support becomes more essential for securing those devices. Not only does Neurons for MDM provides 5G information to let you know if your device is part of your private 5G network slice, 5G network slicing allows your provider to take a shared physical network and portion it out into logical segments. Each segment is provisioned for a different set of users, devices and applications, and the logical separations mean the traffic from one slice does not interfere with another.

In a retail environment, different slices can be configured to provide for your mobile POS devices and for your customer kiosks. Your remote retail environments might employ these slicing schemes to provide better employee and customer experience, while behind the scenes keeping track of inventory. These slices would separate each other’s traffic and resources, improving security. 5G slicing can be enabled in the lockdown Android Enterprise configuration within Ivanti Neurons for MDM.

Configuring higher app priority distribution and updates on your COSU devices

With Ivanti Neurons for MDM, IT can set higher-priority apps for enrollment and update on COSU devices. This will allow admins to set which applications are critical for deployment and updating. This is important especially if the update would resolve or prevent a production-related issue. Getting these updates out as fast as possible can reduce downtime or even prevent a production-affecting event from surfacing.

Providing additional USB security to your COSU devices

With Ivanti Neurons for MDM, you can configure the USB port to be used for charging only to prevent the USB port from being used as a physical vector for malicious attacks, keeping unauthorized users from accessing confidential data. This is important particularly important for COSU devices in an open area, such as kiosks and POS devices in retail stores.

Unattended remote session support

Remote session support becomes even more of a necessity for remote COSU devices, particularly in a retail environment where there maybe no one is available after the store closes to troubleshoot and resolve technical issues.

With Neurons for MDM, you can initiate a remote session from within the console without requiring input from any user at that location, making it easy to manage COSU devices when there is no physical access to those devices.

Easily transition Windows devices to cloud-based modern management

We are excited to announce an Ivanti Neurons for MDM deployment package with the Q2 release to support customers with an easy transition for their Windows devices from traditional management to modern management.

Ivanti Neurons for MDM deployment package

IT can enroll devices managed by Microsoft Configuration Manager (formerly SCCM) or Ivanti Endpoint Manager into Ivanti Neurons for MDM. The Deployment Package tool allows organizations to streamline the transition of Windows devices to cloud-based modern management, without downtime or end-user interruption. Seamless transition is achieved by downloading a unique deployment package from the Neurons for MDM console, then deploying it through the existing management tool or domain. Once the package is deployed, it will silently enroll endpoints into Neurons for MDM for ongoing management. This approach allows administrators to first migrate devices easily, then have flexibility to configure devices later over the air. When device enrollment is completed silently into Neurons for MDM, it is joined with MDM and gets co-managed by two management authorities. Once an administrator configures the desired Windows experience within Neurons for MDM, a legacy management platform can be decommissioned, leaving Neurons for MDM as the single management authority of the device.

This package can be deployed in environments that do not leverage Azure Active Directory (AAD). The main elements of Neurons for MDM modern Windows management suite do not require AAD. Co-management or co-existence may require certain workloads or configurations to be deployed upon silent enrollment, to avoid any impact during transition.

Why move to cloud-based modern management?

As UEM solutions have evolved and added more capabilities over the years, it has become critical to provide a consistent user experience and management capabilities between mobile (iOS and Android) and Windows devices. Cloud-based modern device management on Windows devices is fundamentally different from traditional device management, but similar to mobile device management on iOS and Android.

One of key differences is profile-based management. Breaking from image-based management relieves significant IT workload from manual device imaging and maintenance. A profile is a collection of configuration settings that are applied to a device based on group membership, which allows profiles to be created as a module with multiple profiles assigned to a single user depending on their job function and required apps. With profile-based management, IT can remotely make changes on any configuration and push patch updates over the air.

Those differences mean that cloud-based modern management significantly reduces IT overhead and the complexity of managing Windows devices.

There are a number of drivers for considering a transition from client-based to cloud-based modern device management:

Higher scalability and lower cost impact. We can view scalability into two different ways – faster deployment and ease of scaling. First, a cloud-based solution is faster to deploy compared to an on-prem solution. Second, if you want to deploy more devices with a cloud-based solution, you don’t need to build a new server, which would be required for an on-prem solution to scale. Also, cloud-based solutions are managed by the vendor, so customers can save the cost of managing infrastructure and servers on their own.
Better security posture. Some might argue that on-prem has a better reputation when it comes to security posture. And it is true that some customers in heavily regulated industries still prefer to continue using on-prem solutions. The caveat is that security posture really depends on a customer’s infrastructure, and it often requires a heavy investment for customers to build their own security infrastructure and hire experts to manage it. Cloud service providers, including Ivanti, meet a high security standard with various certifications — for example, Ivanti Neurons for MDM is FedRAMP and SOC2 certified.
Improved productivity and user experience. Remember the significant efforts that went into the Windows 10 migration of a few years ago — and the loss of productivity due to downtime during the update? Modern device management minimizes impacts on productivity between Windows OS updates, as devices are being managed like smartphones. Modern device management also allows you to leverage a zero-touch provisioning solution that integrates systems like Windows Autopilot, Apple Business Manager, Android Enterprise and Samsung Knox Mobile Enrollment. IT can ship a Windows device directly to a user, and it automatically gets enrolled into the cloud-based UEM solution. You can cut onboarding time from weeks to two days, which results not only in a faster onboarding but also higher user satisfaction.

Learn more

For more information about Ivanti Neurons for MDM, visit the product page or view the release notes.