How Apple Updates Mobile Device Management

As anticipated, Apple at WWDC A few collection of great adjustments in how Macs, iPads, iPhones, and Apple TVs are managed in work and training environments. These adjustments fall largely into two teams: people who have an effect on machine administration on the whole and people who apply to declarative administration (a brand new sort of machine administration that Apple launched final yr in iOS 15).

You will need to take a look at every group individually to higher perceive the adjustments.

How has Apple modified machine administration on the whole?

Apple Element

Apple Configurator for iPhone has acquired an enormous enlargement. It has at all times been a handbook technique to register iPhones and iPads in administration somewhat than utilizing self or automated registration instruments. The instrument was initially shipped as a Mac app that might configure units, nevertheless it had one main draw back: the units needed to be related by way of USB to the Mac working the app. This had apparent implications when it comes to time and manpower in something apart from a small atmosphere.

Final yr, Apple launched a model of Configurator for the iPhone that reversed the unique workflow, which means the iPhone model of the app might be used wirelessly to enroll Macs in administration. It was primarily used to enroll Macs bought outdoors of the Apple Enterprise/Training channel into Apple Enterprise Supervisor (Apple merchandise bought via the channel might be mechanically registered with a non-touch configuration).

The iPhone incarnation may be very easy. In the course of the setup course of, you level your iPhone’s digicam at an animation in your Mac’s display screen (very similar to pairing an Apple Watch) and that begins the recording course of.

The large change this yr is that Apple is increasing using Apple Configurator for iPhone to help recording on the iPad and iPhone utilizing the identical course of — eliminating the requirement to attach units to a Mac. This significantly reduces the effort and time required to register these units. There may be one caveat: Gadgets that require mobile activation or activation is locked might want to full activation manually earlier than utilizing Configurator.

identification administration

Apple has made helpful adjustments to identification administration in enterprise environments. Most necessary: it now presents help for added identification suppliers together with Google Workspace and Oauth 2, which permits for a variety of suppliers. (Azure AD was already supported.) These identification suppliers can be utilized along side Apple Enterprise Supervisor to create Managed Apple IDs for workers.

The corporate additionally introduced that help for single sign-on throughout its platforms will probably be carried out after the arrival of macOS Ventura and iOS/iPadOS16 this fall. The aim right here is to make consumer registration simpler and extra streamlined by requiring customers to solely authenticate as soon as. Apple additionally introduced single sign-on for the platform, which is an try and develop and simplify entry to enterprise apps and web sites each time they check in to their machine(s).

Managed networks per software

Apple has at all times had per-app VPN capabilities, which solely permit sure organizations or work-related apps to make use of an lively VPN connection. This implements VPN safety, however limits VPN load by sending solely sure software visitors over the VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple is including a DNS proxy for every app and filtering internet content material for every app. This helps safe visitors for particular apps and features like VPN for every app. This doesn’t require any adjustments to the purposes themselves. DNS Proxy helps system-wide or per-application choices whereas content material filtering helps system-wide or as much as seven situations per app.

Present an digital SIM card

For iPhones that help eSIMs, Apple permits cell machine administration (MDM) software program to configure and provision an eSIM. This may embody provisioning a brand new machine, migrating carriers, utilizing a number of carriers, or configuring for journey and roaming.

Handle entry settings

Apple is thought for its big selection of accessibility options for folks with disabilities. In truth, many individuals with out particular wants use many of those options. In iOS/iPadOS 16, Apple permits MDM to mechanically allow and configure a spread of the most well-liked options, together with: textual content measurement, voiceover, zoom in/out, contact services, daring textual content, scale back movement, improve distinction, and reduce transparency. This might be a welcome instrument in areas resembling particular training or hospital and healthcare conditions the place units might be shared between customers with particular wants.

What’s new in Apple’s declarative administration course of?

Apple unveiled declarative administration final yr as an enchancment over the unique MDM protocol. Its massive benefit is that it transfers a whole lot of enterprise logic, compliance, and administration from the MDM service to each machine. Because of this, units can proactively monitor their situation. This eliminates the necessity for an MDM service to consistently ballot the state of their units after which concern instructions in response. As an alternative, units make these adjustments based mostly on their present state and on advertisements despatched to them and again to the service.

Declarative administration depends on advertisements containing issues like activations and configurations. One benefit is that an commercial can have a number of configurations in addition to activations that point out when or whether or not a configuration needs to be activated. Which means a single commercial can embody all configurations for all customers, mixed with activations indicating which customers they need to place an order with. This reduces the necessity for giant teams of various configurations because the machine itself can resolve which of them needs to be enabled for the machine because of its consumer.

This yr, Apple has expanded the place declarative administration can be utilized. Initially, it was solely out there on iOS/iPadOS 15 units that took benefit of consumer registration. Any further, all Apple units working macOS Ventura or iOS/iPadOS/tvOS 16 will probably be supported, no matter registration sort. This implies machine registration (together with supervised units) is supported throughout the board, as is shared iPad (the kind of registration that enables a number of customers to share the identical iPad, every with their very own configuration and recordsdata).

The corporate has made it clear that declarative administration is the way forward for Apple machine administration and that any new administration options will solely be deployed within the declarative kind. Though conventional MDM will probably be out there for some indefinite time, it has been deprecated and can finally be discontinued.

This has main implications for the {hardware} already in use. Gadgets that can’t run macOS Ventura or iOS/iPadOS 16 will finally be dropped and any machine nonetheless in service must get replaced. Because the {hardware} group loses help, it might result in a expensive transition for some organizations. Though it isn’t instantaneous, you need to begin with figuring out the scale and value of the transition and the way you are going to handle it (particularly as a result of it’ll seemingly require a transfer to Apple Silicon, which does not help the flexibility to run Home windows or Home windows apps, within the course of).

Along with increasing merchandise that may use declarative administration, Apple has additionally expanded its performance, together with help for passcode configuration, enterprise accounts, and MDM-governed software set up.

The passcode possibility is extra difficult than merely asking for a passcode of a sure sort. Passcode compliance is normally required for some security-related configuration, resembling sending a company Wi-Fi configuration to a tool. Within the declarative kind, these configurations might be despatched to the machine earlier than the passcode is about. These are despatched together with the passcode necessities and embody activation that can solely be enabled as soon as the consumer has generated a passcode that complies with this coverage. As soon as the consumer units a passcode, the machine will detect the change and allow Wi-Fi to be configured with a number of connections to the MDM service, enabling Wi-Fi immediately and notifying which service has been activated.

Accounts — which may embody issues like mail, notes, and subscribed calendars — work equally. The advert can determine all supported account varieties inside the group in addition to all subscribed calendars. The machine will then resolve – based mostly on the consumer account and function(s) inside the group – to activate and allow.

Putting in an MDM app is crucial addition to declarative administration, since app set up is likely one of the duties that places the best burden on MDM and the largest bottleneck throughout mass machine activations (resembling new staff becoming a member of, new machine rollouts, or the primary day of faculty). The commercial can determine all potential purposes that will probably be put in and despatched to a tool upon activation, even earlier than it’s handed over to its consumer. Once more, the machine will decide which software set up configurations will probably be activated and out there, based mostly on the consumer. This avoids every machine having to repeatedly question the service and obtain purposes and their configurations. It additionally simplifies and hurries up the method of enabling (or disabling) purposes if a consumer’s function adjustments.

These are vital enhancements and it is simple to see why they have been the primary additions to declarative administration after their preliminary rollout. There are nonetheless MDM capabilities that have not made the leap in declarative use, however they clearly will finally – maybe as quickly as subsequent yr.

That is one in all WWDC’s most necessary bulletins for enterprises and it is good to see that Apple has been considerate in deciding which options so as to add or replace since most of them handle areas that have been difficult, time-consuming, resource-intensive, or boring. Apple not solely addresses the wants of enterprise clients, it demonstrates that it understands these wants.

Copyright © 2022 IDG Communications, Inc.