WWDC 2024: What IT Admins Need to Know About Apple’s Announcements
Apple's announcements at this year’s Worldwide Developers Conference have surprised everyone with new capabilities designed to make the IT admin's life easier for managing and securing devices.
As we expected, Apple kept expanding declarative management configurations and capabilities for securing iPhones and iPads and robust management of macOS in the enterprise. There was also a significant emphasis on device management for Apple Vision Pro, adding the ability to enroll visionOS devices via automated device enrollment. Also, there were new configurations and commands announced that will be supported by MDM, which will make the enterprise use cases more robust.
Here are the main announcements in Apple Business Manager, iOS18, macOS15 and visionOS 2.0 that IT admins should be aware of:
General WWDC announcements
Apple Intelligence
Perhaps the biggest announcement from Apple this year was Apple Intelligence, the new AI introducing Writing Tools, Smart Reply, Reduce Interruptions, Image Playground, etc. Apple Intelligence runs on-device and in Private Cloud Compute, which does not store customer data and protects user privacy. For certain requests, Apple Intelligence has been integrated with ChatGPT.
Apple has shared that MDM restrictions will be available for Apple Intelligence, including the ability to restrict Siri, Writing Tools, Image Playground, and the ChatGPT integration. IT teams will be able to choose which restrictions best fit their organization.
Refer to your Appleseed for IT developer program for more information and updates on what's new for IT.
Apple Business Manager
For customers leveraging Apple Business Manager, they will be able to take advantage of new capabilities that streamline some operations.
First, Apple has been pushing to move enterprise use cases to adopting managed Apple IDs instead of Apple IDs. Apple IDs are now called Apple Accounts, and Managed Apple IDs are called Managed Apple Accounts.
Apple has released a new process to streamline the recognition of the domain so customers can seamlessly convert Apple Accounts to Managed Apple Accounts with low impact on end users. Any Apple Account using a corporate domain can be set to migrate automatically to a managed account. The end user will need to accept this migration. If the end user doesn't accept migration after 30 days, the account will be automatically transformed into a managed account, and the personal Apple Account will be renamed.
The second feature specific to Apple Business Manager is the ability to manage Activation Lock on devices that are in an organization’s Apple Business Manager account. Previously, when a device was locked and retired from MDM, the only way to repurpose the device was to call Apple service. Now, if the device is enrolled in Apple Business Manager, the IT admin can unlock the device directly from the Apple Business Manager page.
Lastly, Apple has added the new Apple Vision Pro to the devices that can be onboarded by organizations via automated device enrollment. This new feature will allow devices to be supervised during activation and will simplify the initial device setup.
Software update enforcement enhancements
Last year, Apple released new software update enforcement with the ability to set a deadline for all devices to upgrade to a specific version. In this workflow, the end user receives notifications starting 14 days before the deadline. This year, Apple has moved the existing management controls over to declarative device management to give the IT admin much more detailed command over the behavior of the update, similar to what the admin had in the previous model.
IT admins can control:
- Automatic software update behavior.
- Rapid Security Response behavior.
- Deferral of software updates (one to 90 days).
- Whether local administrator authorization is required to update macOS.
- Enrollment into beta programs (support for macOS later this year).
- Default notification behavior when enforcing software updates.
- Visibility (recommended cadence) of software upgrades (iOS and iPadOS only).
These new settings are meant to be a complete replacement of the previous workflows for software updates via MDM.
Streamlining OS beta testing in the enterprise
For customers with rigorous beta testing for each new OS version from Apple, Apple has released an easier way to manage the installation of versions on devices. Enrolling devices into the beta program and controlling the upgrade behavior for those devices can be streamlined and updated as needed.
First, all devices will need to leverage a feature released last year to allow for automated device enrollment into the beta program. Now, with this year’s release, all the Software Update settings will also be applicable for those devices in beta versions.
Safari extensions managed via MDM
For a long time, IT admins have been asking for a way to manage and approve Safari extensions to improve the user experience when opening domains. In this release, Apple has made available a new payload that allows or excludes some domains for Safari extensions.
iOS and iPadOS
Cellular networks updates
As with last year, Apple continues to make cellular networks more flexible and robust for customers. Last year, we saw more flexibility in configuring private networks for eSIM devices and creating specific slices on cellular bandwidth for dedicated application network traffic. This year, Apple has added the ability to support multiple private networks and leverage cellular slicing at the per-app VPN level.
New eSIM management keys include the ability to preserve the eSIM information even when the end user wipes the device and the ability to set up an eSIM with a link or a QR code on the device.
App Management Security
Apple added a feature for end users to hide or lock an application. This means the application will require Face ID, Touch ID or a passcode to open and can be hidden from the home screen. Apple will release application-level controls to configure these options via MDM.
Starting with iOS 18, proprietary in-house apps manually installed without using MDM will require a device restart to complete the trust of the provisioning profile.
macOS improvements
More flexible management via MDM
In macOS 14.5, new management tools have been released to manage files via MDM. These include sshd, sudo and PAM.
In macOS 15, executables, scripts and launched configuration files can be installed using MDM and are stored in a secure and tamper-resistant location, similar to service configuration files introduced last year. This provides an easy way for organizations to deploy and control managed services.
Better user experience during authentication
Authenticating via passwords is always problematic in the enterprise, as users forget passwords and devices get blocked. Leveraging new improvements to the platform, single sign-on and extensible single sign-on with Kerberos, Apple is simplifying the authentication process for enterprises while providing secure access and streamlining the authentication process for the end-user. New login policies are available via FileVault, login window and lock screen.
More security via disk management configuration
In the last release, Apple deprecated the media restriction payload. This year, Apple announced a new declarative device management payload to manage external and network storage. This new disk management configuration will define the mount policy to allow, disallow, or set volumes to read-only, making access to external storage secure and robust.
Apple Vision Pro improvements
In the visionOS 1.1 release, enrolling devices into MDM required devices to be registered via Account-Driven Device Enrollment or Account-Driven User Enrollment using a Managed Apple Account. With the announcement of visionOS 2.0, customers will be able to enroll devices via Automated Device Enrollment, allowing them to be supervised and simplifying the initial device setup. Another important improvement is the addition of more commands and payloads for visionOS management, including configurations such as device lock, activation lock, passcode management and others.
Additionally, Apple released a new set of APIs for visionOS application developers aimed at enhancing the enterprise use case. These new APIs will allow applications to integrate live feeds, screen sharing and QR code scanning, enabling new use cases for support teams to assist remotely with tasks and requirements.
While the most significant and impactful capabilities released by Apple center on Apple Intelligence, it's clear Apple is also making substantial progress in enhancing enterprise use cases by simplifying the adoption of Managed Apple Accounts for enterprise customers; introducing more granular controls for a robust macOS management experience; and expanding Apple Vision Pro support for Automated Device Enrollment and other enterprise use cases.