Discover the new security and management features in Apple operating systems and apps. Learn the newest updates to the Apple mobile device management (MDM) framework, which is a supplement to the Apple Platform Deployment, Apple Platform Security, and Security Certifications and Compliance Center documentation.
Apple App Updates
1. Apple Configurator Updates
With Apple Configurator, you can now update software, install apps, configurate profiles, rename and change wallpapers on devices, export device information and documents, and much more. The program has been available on macOS for years. Last year it found its way to iOS.
Apple Configurator for iPhone
Since its introduction, Apple Configurator for iPhone has been used by administrators to add devices to their Apple Business Manager. Adding a device is a two-step process. First, the device needs to be added to the organisation. Next, a user with the role of Device Enrolment Manager needs to sign into Apple Business Manager and assign the device to the correct MDM server. With the new update assigning a device to an MDM solution can be performed during the registration.
The user has three options to choose from when looking to assign devices:
- Don’t assign to an MDM server.
- Assign to the default MDM server configured for its type, for example iPad.
- Assign to one of the organisation’s MDM servers.
The list of available MDM servers is provided automatically after the user signs in with his/her Managed Apple ID.
Apple Configurator for Mac
Apple Configurator for Mac supports Shortcuts, which allows the creation of custom workflows for iPhone and iPad devices. Shortcuts can be used to automate updates, restores, erases, to prepare actions on devices, and to install configuration profiles. Additionally, a new, automatic option can run Shortcut actions when devices are connected.
2. New API for app and book metadata
A new API for MDM solutions provides an easier and more efficient way to retrieve information about App Store apps, including details like icons, description, developer information, and other metadata.
This API replaces the existing contentMetadataLookup server API and provides new customisation and
versioning features, in addition to better performance and uptime.
Apple Identity & Security Updates
1. Additional Managed Apple ID Services
Additional iCloud and Continuity services are enabled for Managed Apple ID’s. This includes support for iCloud Keychain and Apple Wallet. New access management controls allow organisations to restrict access to specific services and define which management state a device should be in when a user signs in with their Managed Apple ID. The following platform features and services can now also be accessed with a Managed Apple ID:
- Continuity: AirPlay to Mac, Auto Unlock, Continuity Camera, Continuity Markup and Sketch, Handoff, Instant Hotspot, iPhone cellular calls, Sidecar, SMS, Universal Clipboard, and Universal Control.
- iCloud Keychain: Users can securely store and access credentials (including passkeys) on all approved devices.
- Apple Wallet: Users can add cards and passes to Apple Wallet including the possibility to use Apple Pay.
- Developer account: If allowed, Managed Apple IDs created in Apple School Manager can participate in the Apple Developer program
Account-Driven Device Enrollment
Account-driven Device Enrolment allows users to easily enrol their company owned iPhone, iPad, and Mac into MDM. Instead of manually downloading and installing an enrolment profile, the user can start the process right from Settings (iPhone and iPad) and System Settings (Mac).
To streamline the enrolment process even further, iPhone and iPad devices can use enrolment single sign-on to reduce repeated authentication prompts.
The resulting enrolment is similar to profile-based Device Enrolment but separates work and personal content. On macOS, it also enables supervision. With Account-driven Device Enrolment you can use a Managed Apple ID and a Personal Apple ID on the same device.
For devices enrolled through account-driven enrolment, you will be able to use your Managed Apple ID to sign in to managed iOS, iPadOS, and macOS apps that use Sign in with Apple. This allows you to use your work account for work apps and your personal account for personal apps. If the app uses a web view for authentication or you are using Safari, clicking “Use a different Apple ID” lets you enter a Managed Apple ID to complete the sign in.
The new release of Managed Apple ID’s includes controls that allow organisations to choose which iCloud services and features can be accessed with a Managed Apple ID. These controls also allow access based on the specific device state:
- Any device
- Managed devices only
- Supervised and managed devices only
These policies are managed in Apple Business Manager.
2. Managed Device Attestation
Managed Device Attestation is now available in macOS Sonoma (in addition to iOS, iPadOS, and tvOS). Managed Device Attestation allows Mac computers to use the Secure Enclave and cryptographic attestations to provide strong assurances about their identity and security posture. This helps prevent attackers from extracting credentials, spoofing legitimate devices, or lying about the properties of a device.
macOS Sonoma supports the creation of hardware-bound private keys within the data protection
keychain for certificates issued using the Automated Certificate Management Environment (ACME) protocol. Those keys are only available on a specific device and can be used for authentication with MDM, 802.1X networks, the built-in VPN client, and built-in network relay.
Hardware-bound keys are also automatically removed when erasing or restoring a Mac. Because these keys are removed, any configuration profiles relying on those keys won’t work after a restore. The profile must be applied again to get the key recreated.
Network Relays in iOS, iPadOS, macOs and tvOs
A new built-in relay supports secure and transparent tunnelling of traffic as an alternative to using VPN when accessing internal resources. Using the new com.apple.relay.managed payload, a secure HTTP/3 or HTTP/2 relay can be configured to proxy all TCP and UDP traffic. This configuration allows defining match and exclusion domains and can apply to managed apps, domains, or the entire device.
This relay configuration option:
- Is built into iOS 17, iPadOS 17, macOS Sonoma, and tvOS 17.
- Can be used in conjunction with iCloud Private Relay.
- Doesn’t require an app
Declarative Device Management Update
Declarative device management has been launched in 2021 and was announced as a new way of managing devices that only require lightweight server controls. The adoption of this new framework had a slow start, but we have seen more and more MDM vendors adding this to their platforms.
“The focus of new protocol features is declarative device management.”
1. Managing Software Updates
Declarative device management can now be used to manage updates in iOS, iPadOS, and macOS. It provides new options for when and how a software update or upgrade should be enforced.
Users get additional information in Settings (iOS and iPadOS) and System Settings (macOS) when an update is requested and when it’s enforced, which increases transparency. Additional notifications are shown more frequently leading up to the enforcement date. To ensure that these notifications are displayed to the user, the Do Not Disturb feature is ignored. This allows users to select the most appropriate time to perform the update.
Using declarative status reports, MDM solutions can also get increased transparency about the status of the update, for example, waiting for, downloading, or installing the update.
Meaningful error codes have been added in case an update couldn’t be performed or was unable to be completed. Some examples are if the device was offline, if the battery charge was too low, or if not enough free space was available.
The declarative profiles always take precedence over MDM commands and are available for macOS, iOS & iPadOS.
2. Securing Devices
Support for a managed set of service configurations in macOS
A new asset type supports a robust and tamper-resistant way to deploy managed configurations for
common system services.
This asset type allows the creation of a managed set of common service configurations. The files must
be distributed as a .zip archive and can contain either a single file or an entire directory.
When the configuration is activated, the archive is downloaded and expanded into a special tamper-proof, service-specific location. The service-specific location can be programmatically found by calling
a function in a new public library, so that any service can adopt managed service configuration files.
Built-in services include the following and are modified to look for the managed service configuration
files, which take precedence over built-in settings: sshd / _sudo / _PAM/ _CUPS/ _Apache/ _zsh
(/private/etc/zprofile)/ _bash (/private/etc/profile).
Additionally declarative management can monitor background tasks and FileVault status on macOS
MDM already includes profile payloads that can be used to create certificates and identities in the
keychain of devices. It also supports provisioning identities via the ACME and SCEP protocols and
retrieving certificates via a certificate list command.
Unfortunately, there are some limitations on what MDM can do. MDM certificate or identity payloads can be referenced by one or more other payloads within the same profile. However, references to certificates
or identities in other profiles are not allowed. This means profiles either have to become larger to accommodate all payloads referencing the same item or certificates and identities have to be duplicated across multiple profiles, which means more work to keep them up to date. Also, when a certificate or identity does need to be refreshed, all the other payloads in the profile will be updated in the system, which can be disruptive to the user experience.
Declarative device management can provide a more efficient mechanism for managing certificates and
identities by utilising the full power of its declaration data model.
Identities can be deployed using ACME, SCEP, or an encrypted PKCS#12 container and certificates as
.pem or .der encoded files. If the certificate is a self-signed Certificate Authority (CA), it’s automatically
added to the device’s trusted root certificates.
The Mail and Exchange configurations are updated to support a certificate asset for S/MIME, making
encrypted mail communication even easier. This new feature is now available for iOS and iPadOS. In addition, the status for certificates and identities can be reported, including providing quick feedback
when ACME and SCEP identities are provisioned without the need for polling.
This feature makes it easy to transition from traditional MDM profiles to declarative configurations. Declarative device management is built in and can be used in parallel with MDM to add new management capabilities, allowing you to migrate.
Implementing declarative device management in MDM is as simple as sending the MDM Declarative Management command to the device and syncing over a set of declarations that get activated on the device. Then the server listens to incoming status reports.
To make this transition easy, a legacy profile configuration was created to allow existing MDM profiles to be sent as a configuration, enabling profiles to take full advantage of the autonomous and proactive behaviour of declarative device management. Doing that involves removing the existing MDM profile first, then sending and activating a configuration that installs that same profile. This can be a disruptive process causing things like accounts to have to refresh all their data or leaving a management gap in which restrictions are missing from the device for a short while.
Declarative device management now supports taking over management of already installed MDM profiles without the need to remove them. To make use of this feature, all a server must do is send and activate a configuration that contains the same profile as one already installed by MDM. The declarative device management system will then take over management of that profile without reinstalling or updating it. At that point, declarative device management owns the profile and MDM will not be able to make changes to it any longer. There is no disruption to the device state the profile is managing and there is no management gap. This makes it much easier to transition from MDM to declarative device management.
This new behaviour is available on all platforms.
Other new declarations:
- Install a profile containing declarations from within (System) Settings for testing purposes. This option can be used to install accounts, legacy profiles, passcode, and screen sharing configurations, and certificates and identities.
- Declarative device management can be used to configure host settings and connection settings for Screen Sharing
Download our Apple for Enterpise Tech Deep Dive Today!
This documentation is designed to help administrators understand the key technologies for securing, managing, and deploying Apple devices at scale, and provide an optimal experience for users. Downloads yours free today by filling out the form below!