At final week’s WWDC, Apple launched a collection of modifications that have an effect on the general management of units or the declarative management used on particular person units. Here is a abstract of the modifications and why they’re necessary.
By Ryan Fass
As anticipated, at WWDC, Apple introduced a variety of important modifications to the way in which it manages Macs, iPads, iPhones, and Apple TVs within the enterprise and academic setting. These modifications fall into two teams: people who have an effect on world device management and people who apply to declarative management (a brand new kind of device management launched by Apple in iOS 15 final yr).
It is necessary to take a look at every group individually to raised perceive the modifications.
How did Apple change world device management?
Apple Configurator has considerably expanded for the iPhone. This is a guide methodology of registering iPhones and iPads in management, as an alternative of utilizing computerized or auto-registration instruments. Originally the Mac might configure units despatched as purposes, however there was one main downside: the units operating the applying needed to be related by way of USB to the units. It had apparent time and labor penalties for something apart from a small setting.
Last yr, Apple launched an iPhone model of the configurator that reversed the unique workflow, which means the iPhone model of the app may very well be used wirelessly to enroll in Mac management. It was primarily used to register bought Macs in Apple Business Manager exterior of Apple’s Business / Education channel (Apple merchandise bought via the channel might be auto-registered with a zero-touch configuration).
The iPhone avatar is extremely easy. During the setup course of, the iPhone digicam is directed to the animation on the Mac display screen (equivalent to including an Apple Watch) and this begins the registration course of.
The massive change this yr is that Apple has elevated the usage of Apple Configurator for iPhone to assist enrollment on iPad and iPhone utilizing the identical course of – eliminating the necessity to join units to Mac. This vastly reduces the effort and time required to register these units. There is a caveat: units that require mobile activation or which have been locked have to be activated manually earlier than utilizing the configurator.
Apple has made helpful modifications to id management within the enterprise setting. Most notable: it now helps extra id suppliers, together with Google Workspace and Oauth 2, enabling a wider pool of suppliers. (Azure AD is already supported.) These id suppliers could also be used at the side of Apple Business Manager to create a managed Apple ID for workers.
The firm additionally introduced assist for single sign-on enrollment on its platform after the arrival of macOS Ventura and iOS / iPadOS16 this fall. The objective right here is to make person registration simpler and extra streamlined by requiring customers to authenticate solely as soon as. Apple additionally introduced a single sign-on platform, an try to extend and facilitate entry to enterprise purposes and web sites every time they authenticate on their device.
User managed community
Apple has lengthy had an in-app VPN functionality, permitting solely sure firms or work-related purposes to make use of an energetic VPN connection. This applies to VPN safety, however limits VPN load by sending solely application-specific site visitors to the VPN connection. With macOS Ventura and iOS / iPadOS 16, Apple is including DNS proxy to each app and internet content material filtering to each app. This helps safe site visitors for particular apps and capabilities, identical to any VPN app. And it would not want to switch the purposes themselves. Proxy DNS helps system-wide or per-app choices, whereas content material filtering helps system-wide or seven-per-app situations.
For iPhones that assist eSIM, Apple is making it attainable to configure and distribute eSIM for mobile device management (MDM) software program. This could embrace arranging a brand new device, relocating carriers, utilizing a number of carriers or establishing for journey and roaming.
Accessibility settings management
Apple is identified for its vast set of accessibility options for folks with particular wants. In truth, many individuals who would not have particular wants use many of those options. In iOS / iPadOS 16, Apple permits MDM to robotically configure some frequent options, together with: textual content measurement, voice over, zoom, textile additions, daring textual content, diminished movement, rising distinction, and decreasing transparency. It might be a welcome instrument in areas like particular training or hospital and healthcare the place gear might be shared amongst customers with particular wants.
What’s new in Apple’s announcement management course of?
Apple unveiled the announcement management final yr as an enchancment over its unique MDM protocol. Its massive benefit is that it strikes lots of enterprise logic, compliance and management of MDM service on each device. As a outcome, the gear can actively monitor their situation. This eliminates the necessity for the MDM service to consistently monitor the standing of your device after which problem instructions in response. Instead, the units make these modifications based mostly on their present standing and the statements despatched to them and report them to the service.
Announcing management is based mostly on bulletins that embrace issues like activation and configuration. One benefit is that bulletins can embrace a number of configurations, in addition to activations that point out when or when the configuration ought to be activated. This implies that a declaration can comprise all of the settings for all customers, together with activations that point out which customers to use to. This reduces the necessity for a big set of various configurations, because the device can determine for itself which person to allow for the device.
This yr, Apple has expanded the place declarative management can be utilized. Initially, it was solely accessible on iOS / iPadOS 15 units that reap the benefits of person registration. Going ahead, all Apple units operating MacOS Ventura or iOS / iPadOS / tvOS 16 might be supported, no matter your subscription kind. This implies that device enrollment (together with supervised units) is supported throughout the board, equivalent to a shared iPad (a type of registration that permits a number of customers to share the identical iPad, every with their very own configuration and information).
The firm has made it clear that announcement management is the way forward for Apple device management and any new management options will solely be carried out within the announcement mannequin. While conventional MDM is accessible for an indefinite time period, it has been excluded and can finally be repaired.
This has a huge effect on gear that is already in use. Devices that can’t run MacOS Ventura or iOS / iPadOS 16 will finally be deserted and people who stay in service will should be changed. Given the vary of units that lose assist, this is usually a expensive transition for some organizations. While not instantly, it is best to start to determine on the scale and price of the transition and the way you’ll handle it (particularly if it requires a transition to Apple Silicon, which doesn’t assist the power to run Windows or Windows purposes. Process.).
In addition to extending merchandise that may use declarative management, Apple has additionally elevated its performance, together with assist for passing passcodes, configuring enterprise accounts, and putting in MDM-managed purposes.
The password possibility is extra advanced than requiring a selected kind of password. Password compliance is historically required for sure security-related configurations, equivalent to sending a company Wi-Fi configuration to the device. In the declarative mannequin, these settings might be despatched to the device earlier than setting the password. They are despatched with a password requirement and embrace an activation that may solely be activated when the person creates a password that complies with this coverage. Once the person has set the password, the device will acknowledge the change and activate the multi-connect Wi-Fi setup for the MDM service, activate Wi-Fi instantly and notify the service activation.
Accounts – which might embrace issues like mail, notes, calendars and subscribed calendars – work the identical means. The assertion can specify all supported account varieties within the group in addition to all subscribed calendars. The device will then decide the activation and activation – based mostly on the person’s account and the position (s) within the group.
MDM app set up is a very powerful addition to Declared Management, as app set up is one of the crucial burdensome duties on MDM and the largest hurdle throughout giant device activation. The declaration can specify all attainable purposes that have to be put in and despatched to the device as soon as activated, earlier than it is delivered to its person. Again, relying on the person, the device will decide which software set up settings to allow and make accessible. This prevents every device from steadily inquiring in regards to the service and downloading purposes and their settings. If the person’s position modifications, it simplifies and quickens the method of activating (or deactivating) the applying.
These are necessary enhancements and it is straightforward to see why they’re the primary addition to declarative management after the preliminary implementation. There are nonetheless MDM capabilities that haven’t jumped for declarative use, nevertheless it is clear that finally – maybe early subsequent yr – they may.
This is considered one of WWDC’s most important bulletins for companies, and it is good to see what options Apple is contemplating including or updating, as most of them tackle troublesome, time consuming, useful resource consuming or tedious areas. Apple is not solely assembly the wants of business clients, it is additionally displaying that it understands these wants.