Our Voice

CWSI Ranked 15th in the Deloitte 2023 Technology Fast 50 Awards.

Learn More

What’s New for iOS 17 and iPad 17 Management.

iOS 17 and iPadOS 17 releases include some interesting new or enhanced features. This blog will give a brief overview of what’s new for enterprise iOS17.

1. Return to Service

With Return to Service, the process of resetting and re-enrolling devices becomes fully automated and much faster. When the MDM solution sends the command to erase a managed device, it can provide the WiFi details and define which MDM solution to enroll the device in.

If the device is registered in Apple Business Manager, the MDM configuration can be omitted. This alerts the device to check for an enrolment profile during activation. When provided, it can be used, for example, in situations where the Automated Device Enrolment would have otherwise required interactive authentication.

Using the provided information, the device erases all data and automatically proceeds to the Home Screen, ready to be used. As part of this process, the previously selected language and region are applied.

Whether or not an existing eSIM is preserved depends on the setting of the PreserveDataPlan key.

Man looking at phone

2. Enforce a Minimum OS Version

MDM solutions can enforce a minimum operating system version when using Automated Device
Enrolment. If the device doesn’t meet the minimum version expected by MDM, the user is guided
through a software update or upgrade before he can continue the enrolment. This ensures that
devices owned by an organisation are on the version required to be put into production.

3. Update to Cellular Connections to iOS and iPadOS

Private 5G and LTE networks

iOS 17 and iPadOS 17 now support Private 5G and LTE networks. MDM administrators can automatically activate private SIMs when an iPhone enters a geofence and allows administrators to prioritise Cellular over Wi-Fi for these networks. Only one Private Cellular Network payload is supported at a time.

Connecting to a private cellular network

To connect an iPhone or iPad to a private cellular network, an eSIM or physical SIM that has been specifically provisioned for that network must be used. The SIM and private cellular network must use a supported Mobile Country Code (MCC) and Mobile Network Code (MNC) that are designated for private network use.

Private network identifiers

iOS 17 and iPadOS 17 support Mobile Country Code 999, the International Telecommunication Union (ITU) standard for identifying private cellular networks. All Mobile Network Codes (MNC) are supported for Mobile Country Code (MCC) 999 private networks.

4. 5G Network Slicing

5G Network Slicing allows mobile network operators to customise traffic through a 5G Standalone network with specific quality of service requirements for network latency, throughput, and packet loss.
This allows a 5G network tailored to meet the needs of different types of apps and services, such as
high-bandwidth video streaming, low-latency communications, and mission-critical business apps.
5G Network Slicing is supported on the following devices:

  • All iPhone 14 and iPhone 14 Pro models
  • iPad Pro 11-inch (4th generation)
  • iPad Pro 12.9-inch (6th generation)

The ability to assign network slices is available through the corresponding MDM app installation and
settings commands or declarative app configuration. (Declarative app configuration will be available
in a future update to iOS 17 and iPadOS 17)

5. MDM with Private Cellular Networks

Some device settings for an organisation’s private 5G and LTE network can be configured using an
MDM solution or a configuration profile containing a Private Cellular Network payload:

  • 5G Standalone: 5G SA is turned off by default, and users can manually turn it on in Settings >
    Cellular. Additionally, organisations can use the new “EnableNRStandalone” key in their Private
    Cellular Network payload.
  • Prioritising Cellular over Wi-Fi: With the new “CellularDataPreferred” key, organisations with private
    5G and LTE networks have the option to prefer using cellular over Wi-Fi when both are available.
    With this setting, supported devices can be set to prefer the private cellular network, while still
    allowing Wi-Fi for services such as AirDrop and AirPlay.
  • Prioritising Cellular over Wi-Fi: With the new “CellularDataPreferred” key, organisations with private 5G and LTE networks have the option to prefer using cellular over Wi-Fi when both are available. With this setting, supported devices can be set to prefer the private cellular network, while still allowing Wi-Fi for services such as AirDrop and AirPlay.
  • Geofence activation: A private network eSIM or physical SIM can automatically be turned on when entering cellular network coverage defined by a geofence, using the new Geofences dictionary with the GeofenceId, Latitude, Longitude and Radius keys. By creating a geofence, the iPhone can seamlessly switch between a private network SIM and a carrier SIM as the user moves in and out of private network coverage. When they enter the geofence, the private network SIM is enabled, and automatically disabled when they exit the geofence and leave private network coverage. This feature is only available when using a single private network eSIM or physical SIM on their iPhone. The Private Cellular Network payload allows defining up to 1000 geofences, each with a radius ranging from 100 meters to 6.5 kilometres.

Preservation of eSIMs during passcode policy wipe

iOS 17 and iPadOS 17 now preserve eSIMs when the device has been erased by passcode policy after
reaching the maximum number of failed passcode attempts and the restriction to prevent eSIM
modifications is enforced. This is a change of behaviour from previous operating systems.

6. 802.1X Support for Ethernet Connections

iPhone and iPad devices running the OS 17 version will support an 802.1X configuration profile for Ethernet connections. This allows connectivity to restricted networks that require authentication. This is also supported in the upcoming tvOS 17 release.

7. Shared iPad Enhancements

Shared iPad allows more than one user to sign into an iPad. The iPad must be supervised before Shared
iPad can be used. We see more and more use cases popping up for Shared iPads. iPadOS 17 included the
following enhancements:

  • Initial sign in: This allows an MDM solution to fully configure Shared iPad for a particular user after they sign in. This ensures that the device is ready to go when the user is presented with the Home Screen.
  • Skip setup: To streamline the sign-in flow even further, a new option tells the device to use the
    Language & Locale system setting for all new users.
  • Temporary session: a Shared iPad configured for temporary sessions now reserves sufficient space to install apps or other media while a user is signed in.

8. New Restrictions

  • User Enrollment Max Inactivity: Users can’t configure Auto Lock to devices never enrolled with User
    Enrollment. This helps to protect organisational data.
  • Tap to Pay: The app attribute TapToPayScreenLock allows a payment app running in the foreground to be used securely without having to provide the passcode to someone else or handing over an unlocked device. If the user tries to switch to another app, they are prompted for authentication.
  • Restrict VPN configuration: This prevents users and third-party apps from adding and creating a VPN configuration on a supervised iPhone or iPad.

9. Support for App Thinning

App thinning is a technology that ensures that an app’s IPA file only contains resources and code that’s
necessary to run the app on a particular device.

iOS 17 & iPadOS 17 will support App Thinning. App Store apps installed using managed distribution will
support App Thinning technology, which downloads and installs only the specific version for the associated platform, allowing for faster downloads and reduced download volume.

This is also supported in the upcoming tvOS 17 release.

10. Supervision Requirements

In a future update to iOS 17 and iPadOS 17, the following restrictions will require a supervised device:

  • Allow Auto Unlock
  • Allow Fingerprint For Unlock
  • Allow Spotlight Internet Results
  • Allow Shared Stream
  • Allow Global Background Fetch When Roaming
  • Allow In App Purchases
  • Safari Allow JavaScript
  • Safari Allow Popups
  • Safari Accept Cookies
  • Allow Bookstore Erotica
  • Rating Apps
  • Rating TV Shows
  • Rating Movies
  • Allow Explicit Content

In a future update, the following properties of the Restrictions payload require a supervised device, but will apply only to personal Apple ID’s:

  • Allow Cloud Photo Library
  • Allow Cloud Document Sync
  • Allow Activity Continuation
  • Allow Cloud Private Relay

Download our Apple for Enterpise Tech Deep Dive Today!

This documentation is designed to help administrators understand the key technologies for securing, managing, and deploying Apple devices at scale, and provide an optimal experience for users. Downloads yours free today by filling out the form below!

Relevant Resources

Our Voice

CWSI Ranked 15th in the Deloitte 2023 Technology Fast 50 Awards.

Learn More

Our Voice

Exploring Cloud Security with Microsoft.

Hear from CWSI’s Client Solution Director, Paul Conaty as he interviews Microsoft Azure expert, Raymond Mulligan, on the best practices to follow when organisations are migrating to cloud

Learn More

Our Voice

CWSI Named Digital Technology Company of the Year.

CWSI, Ireland’s most experienced mobile and cloud security specialist, announces that it has been named Digital Technology Company of the Year at Technology Ireland's 2023 Award ceremony.

Learn More