Advancements in Declarative Device Management
WHAT IS DECLARATIVE DEVICE MANAGEMENT?
A policy is pushed through an Enterprise Mobility Management (EMM) solution such as SOTI MobiControl to ensure all devices cannot connect to a blocked website (for example, YouTube.com). When a user tries to access the blocked website, the device proactively “declares” to SOTI MobiControl that an attempt to visit YouTube.com has been made.
An IT administrator sees the attempt has been made and blocks the website. The admin can also send a message to the device user that visiting YouTube.com is not permitted.
At WWDC 2023, Apple announced additional advancements to DDM:
- EMM and DDM for watchOS: This is a two-pronged announcement. Organizations can now deploy and configure Apple Watches along with other Apple devices they use for business-critical mobile operations. However, DDM is required for watchOS management. And just like with Apple devices such as smartphones and tablets, DDM for watchOS allows Apple Watches to “declare” when changes have been made to its configurations, activations, assets, status and management settings.
- Software Update Management: DDM now includes new ways to install, enforce, defer and verify software updates for macOS, iOS and iPadOS devices using DDM. Now, IT administrators can enforce software updates for immediate delivery of new features and bug fixes. They can defer OS updates for testing prior to deployment. They can also verify that devices have been properly updated when they’ve been instructed to do so.
- App Management: DDM now does some interesting things when it comes to app management. Users can be shown a list of suggested apps which are downloaded to the device, but not installed. Users can choose when to install a suggested app without needing to leverage EMM or constantly click intrusive consent prompts. DDM tells the IT administrator when the app has been downloaded and is in use. Should an issue arise, the admin is able to resolve it quickly.
Protecting Data and Devices: Enhancements to Automated Device Enrollment
WHAT IS AUTOMATED DEVICE ENROLLMENT?
Automated Device Enrollment lets you automate Mobile Device Management (MDM) enrollment and simplify initial device setup. You can supervise devices during activation without touching them, and lock MDM enrollment for ongoing management.
Automated Device Enrollment (ADE) allows organizations to ensure certain security configurations are in place before deploying Mac to end users and having them log in for the first time. At Apple WWDC 2023, the following ADE enhancements were announced for macOS 14:
- Enforce FileVault: FileVault encrypts data so that if the Mac is stolen, lost or experiences unauthorized access, the data remains secure. Now, macOS 14 allows solutions like SOTI MobiControl to require FileVault during setup. A critical component of FileVault is the recovery key and at the Setup Assistant phase, there are two options: the recovery key can be shown to the end user for future reference, or it can be escrowed to the EMM/MDM solution.
- Minimum OS Version Requirement: Administrators can require Macs to be on a minimum OS version before enrollment. If the device isn’t on the required OS version, ADE will guide the user to update accordingly. Mac will restart automatically after the update is complete.
- Network Connection Safeguards: Currently, if Mac doesn’t connect to a network, ADE skips the enrollment process into the EMM solution and a notification appears requesting enrollment. Now, once Mac connects to a network, the user is presented with two options:
- To continue the enrollment process
- Delay the enrollment process by a maximum of eight hours, after which the device will be required to enroll into EMM
Faster Deployment: Enhancements to iOS and iPadOS
In many organizations, when an employee leaves or moves to a new department, the iOS or iPadOS device they were using gets passed to another worker. Of course, this involves wiping the device and setting it back up. Although the device can be erased remotely, getting them back into service can be a manual process as someone needs to physically touch the device and take it through the setup process.
That now changes with the introduction of Return to Service for iOS and iPadOS. Using SOTI MobiControl as an example, here’s how it works: The EMM server sends an erase command to the device. But, included in the erase command are other commands, including:
- Reset the device
- Connect to Wi-Fi
- Enroll into SOTI MobiControl
- Return to the Home Screen
Previously, these steps may have been done manually. Which meant either shipping the device back to IT, or having IT come to the device. In either case, the result was the same: a slow, inefficient and costly process that could take days or weeks.
Now, with Return to Service, devices aren’t just erased remotely and quickly, but they’re also set up and ready to go for the next user to use in just minutes, not days or weeks.
Better Identity Control: Improving Managed Apple ID
Managed Apple IDs are a type of Apple ID designed for use in an organization like a business. They allow employees to sign into devices, apps and services and keep their data synced across devices without needing to use a personal Apple ID. They also allow the organization to own both the account and the data on it.
At WWDC 2021, Apple announced the ability for IT administrators to use Managed Apple IDs to enroll devices which contain personal and corporate data, such as Bring Your Own Device (BYOD) or Corporately Owned Personally Enabled (COPE) devices. This allows for greater separation between the two data sets. On the devices, users access the personal side via their personal Apple ID and the work side through a Managed Apple ID.
Now at WWDC 2023, Apple improved the separation of personal and corporate data. Instead of enrolling devices through users, IT administrators can enroll devices through accounts. Basically, the enrollment and set up process is the same as before with signing into their work account using Managed Apple ID to enroll the device. However, what’s different is that the user would then be taken to a management screen which informs the user what the organization can see and do on the device without having to download profiles or accept numerous prompts.
Additionally, at Apple WWDC 2023, it was announced that custom identity providers (IdPs) which support OpenID will be available to Managed Apple IDs through Apple Business Manager (ABM). To take advantage of this new feature, the IdP being used (think something like Okta) must support the following:
- OpenID Connect for federated authentication
- System for Cross-Domain Identity Management (SCIM) for Directory Sync
- OpenID Shared Signals
What Does This All Mean?
This year at WWDC 23, Apple in the enterprise is looking to make things easier, smarter, faster and more secure for end users. Speaking of end users, there are going to be more of them as by 2025, it’s expected that 69% of businesses will manage device fleets of 1,000 or more. And those end users want to enjoy access to personal and corporate data at once, as evidenced by the fact that 70% of employees are comfortable using personal devices for work purposes if there’s clear separation between the two.
Apple’s device management updates at WWDC speak to the above: Enrolling and setting up devices is as seamless as possible to enable employees to get their hands on them sooner and be productive right away. Enhanced security protects devices once they come online. And an improved end user experience with greater partitioning between personal and corporate data allows workers to access everything they need on the devices they are comfortable and familiar with.
Learn More About SOTI and Apple
Want to know more? Check out these helpful resources:
- Visit our Apple Management page
- Read our blogs about all things Apple
- Look at success stories for Apple customers and users like yourself
One more thing: Looking forward to seeing you at Apple WWDC 2024.