WWDC23: What IT Admins Need to Know to Manage Apple Devices

Tue, 25 Jul 2023 19:51:36 Z

Apple’s annual developer conference, WWDC, is a firehose of information for anyone who manages Apple devices.

New operating systems (notably iOS 17, iPadOS 17, macOS 14 and watchOS 10) and new products (15-inch MacBook Air and Apple Vision Pro) might have dominated the headlines, but WWDC23 also brought a host of no less consequential new capabilities for enterprise device management.

So what should IT admins pay attention to in the lead up to this fall’s OS updates?

A big step forward in declarative device management

Apple introduced declarative management in 2021 as an extended functionality to the MDM protocol, and this year they continued the trend of releasing configurations that can coexist on MDM and declarative management at the same time as part of a gradual transition. Apple has announced a transition path from today’s MDM protocol to declarative management, which will make the changeover seamless for end users.

What’s new this year is that Apple is also releasing features that can only be supported via declarative management – passkeys and Apple Watch management. Ivanti’s UEM products will support declarative device management, and therefore these new features, in the next few quarters.

Simpler device enrollment – for IT and for end users

Getting rid of manual processes is a clear theme for the device enrollment enhancements released this year.

Return to service, a new capability for bringing devices back into management, lets IT admins send a command to erase and then re-enroll a device automatically – a process that until now was manual. This feature is particularly useful for devices without dedicated users that need to be remotely reconfigured without manual intervention, for example an iPad that needs to be reset after a patient is discharged from a hospital.

Account-driven device enrollment (an enhancement to account-driven user enrollment, which is already available) enrolls devices automatically when users sign in with their work or school account, rather than requiring the user to install a profile manually. Eliminating this extra step can streamline device onboarding.

On the topic of device enrollment, Setup Assistant also saw enhancements worth paying attention to: the ability to restrict enrollment to devices that meet minimum OS requirements, and the ability to configure FileVault during setup. These features let companies ship devices directly from the supplier to the end user without needing a manual setup to ensure basic security features are in compliance.

Easy end user authentication for a better end user experience

Updates to Managed Apple IDs give organizations access to a range of improved authentication features that make it easier for end users to access their devices and services. Managed Apple IDs now include support for iCloud Keychain, Apple Wallet, and access management controls that enable organizations to restrict access to specific services and dictate the management state of a device when a user signs in. Additionally, passkeys can now be synced across managed devices for an even more secure authentication experience.

Platform single sign-on (SSO) now lets you create local user accounts on a shared Mac using credentials from the Identity Provider (IdP).

Finally, Managed Device Attestation is now available on macOS and offers strong assurances about the security posture and properties of a device.

Useful updates to device and application connectivity

For an alternative to VPN, you can now use a new built-in relay to secure traffic using an HTTP/3 or HTTP/2 tunnel. The configuration is domain-based and can be applied to managed apps, domains, or the entire device.

Apple has also expanded 802.1X support for Ethernet, which previously was only supported for macOS, allowing you to connect an iPhone, iPad or Apple TV to a restricted network that requires authentication without needing to rely on WiFi.

Finally – private network and network slicing support

Long-awaited support for private 5G and LTE networks is finally here for iOS 17 and iPadOS 17.

Administrators can activate private SIMs automatically when a device enters a geofence in order to prioritize cellular over Wi-Fi.

And with 5G network slicing, mobile network operators can customize traffic through a 5G standalone network with specific quality-of-service requirements for network latency, throughput and packet loss.

Discovering new use cases for wearables in the workplace?

Apple Watch is newly supported as a managed device. An Apple Watch that is paired to a Supervised iPhone can now be enrolled and managed with watchOS 10 – with the very important requirement that declarative management configuration must be enabled.

Planning ahead for this fall’s OS updates

Ivanti is actively testing the betas of iOS 17 and macOS 14 to make sure you can take advantage of these new features for a better end-user experience and streamlined IT processes.

Look out for communication on compatibility as we plan for day zero support for Ivanti products.

Ivanti Blog: Posts by