As anticipated, Apple at WWDC introduced a collection of serious modifications to how Macs, iPads, iPhones, and Apple TVs are managed in enterprise and training environments. These modifications largely break into two teams: those who have an effect on total machine administration and those who apply to declarative administration (a brand new sort of machine administration Apple launched final yr in iOS 15).It’s vital to take a look at every group individually to greatest perceive the modifications.How did Apple change total machine administration?Apple Configurator Apple Configurator for iPhone obtained a major enlargement. It’s lengthy been a handbook methodology of enrolling iPhones and iPads in administration relatively than utilizing automated or self-enrollment instruments. The instrument initially shipped as a Mac app that would configure gadgets, but it surely had one main draw back: gadgets needed to be linked by way of USB to the Mac operating the app. This had apparent implications by way of the time and manpower in something aside from a small setting.Last yr, Apple launched a model of Configurator for iPhone that reversed the workflow of the unique, that means an iPhone model of the app could possibly be used wirelessly to enroll Macs into administration. It was main used to enroll Macs that had been bought outdoors of Apple’s enterprise/training channel into Apple Business Manager (Apple merchandise bought by means of the channel may be auto-enrolled with zero-touch configuration).The iPhone incarnation is extremely easy. During the setup course of, you level an iPhone digital camera at an animation on the Mac’s display (very like pairing an Apple Watch) and that triggers the enrollment course of.The huge change this yr is that Apple expanded using Apple Configurator for iPhone to help iPad and iPhone enrollment utilizing the identical course of — eradicating the requirement that gadgets be hooked up to a Mac. This tremendously reduces the effort and time wanted to enroll these gadgets. There’s one caveat: gadgets that require mobile activation or have been activation locked will want that activation to be accomplished manually earlier than Configurator can be utilized. Identity administrationApple has made helpful modifications for identification administration in enterprise environments. The most vital: it now affords help for added identification suppliers together with Google Workspace and Oauth 2, which permits an expansive set of suppliers. (Azure AD was already supported.) These identification suppliers can be utilized along with Apple Business Manager to generate Managed Apple IDs for workers.The firm additionally introduced that help for single sign-on enrollment throughout its platforms will likely be carried out after macOS Ventura and iOS/iPadOS16 arrive this fall. The purpose right here is to make person enrollment simpler and extra streamlined by requiring customers to authenticate solely as soon as. Apple additionally introduced Platform Single Sign-on, an effort to increase and streamline entry to enterprise apps and web sites every time they login to their machine(s). Managed per-app networkingApple has lengthy had per-app VPN capabilities, which permit solely particular enterprise or work-related apps to make use of an energetic VPN connection. This applies VPN safety, however limits VPN load by solely sending particular app site visitors over a VPN connection. With macOS Ventura and iOS/iPadOS 16, Apple is including per-app DNS proxy and per-app net content material filtering. This helps safe site visitors for particular apps and capabilities the identical as per-app VPN. And this requires no modifications to the apps themselves. DNS proxy helps system-wide or per-app choices whereas content material filtering helps system-wide or as much as seven per-app situations.E-SIM provisioningFor iPhones that help eSIMs, Apple is making it potential for cellular machine administration software program (MDM) to configure and provision an eSIM. This can embody provisioning a brand new machine, migrating carriers, use of a number of carriers, or configuration for journey and roaming.Managing Accessibility settingsApple is well-known for its expansive set of Accessibility options for individuals with particular wants. In reality, many individuals with out particular wants additionally use a number of of those options. In iOS/iPadOS 16, Apple is permitting MDM to allow and configure a handful of the commonest options routinely, together with: textual content measurement, Voice Over, Zoom, Touch Accommodations, Bold Text, Reduce Motion, Increase Contrast, and Reduce Transparency. This will likely be a welcome instrument in such areas as particular training or hospital and healthcare conditions the place gadgets could also be shared amongst customers with particular wants.What’s new in Apple’s Declarative Management course of?Apple unveiled Declarative Management final yr as an enchancment over its unique MDM protocol. Its huge benefit is that it strikes a lot of the enterprise logic, compliance, and administration from the MDM service to every machine. As a outcome, gadgets can proactively monitor their state. That eliminates the necessity for the MDM service to always ballot for his or her machine state after which concern instructions in response. Instead, gadgets make these modifications based mostly on their present state and on the declarations despatched to them and report them again to the service. Declarative administration depends on declarations that comprise issues like activations and configurations. One benefit is {that a} declaration can embody a number of configurations in addition to the activations that point out when or if the configuration needs to be activated. This means a single declaration can embody all of the configurations for all customers, paired with activations that point out to which customers they need to apply. This reduces the necessity for giant units of various configurations because the machine itself can decide which of them needs to be enabled for the machine due to its person. This yr, Apple has expanded the place Declarative Management can be utilized. Initially, it was out there solely on iOS/iPadOS 15 gadgets that leveraged person enrollment. Going ahead, all Apple gadgets operating macOS Ventura or iOS/iPadOS/tvOS 16 will likely be supported, no matter their enrollment sort. That means machine enrollment (together with Supervised gadgets) is supported throughout the board, as is shared iPad (an enrollment sort that permits a number of customers to share the identical iPad, every along with his or her personal configuration and information.)The firm has made it crystal clear that Declarative Management is the way forward for Apple machine administration and that any new administration options will likely be rolled out solely to the declarative mannequin. Although conventional MDM will likely be out there for some unspecified time, it has been deprecated and can ultimately be retired.This has main implications for gadgets already in use. Devices that may’t run macOS Ventura or iOS/iPadOS 16 will ultimately be dropped and any that stay in service will should be changed. Given the swath of gadgets shedding help, this might make for a pricey transition for some organizations. Although it isn’t instant, you need to start to find out the scale and value of the transition and the way you’ll handle it (notably since it’ll probably require a transition to Apple Silicon, which doesn’t help the flexibility to run Windows or Windows apps, within the course of). Beyond increasing what merchandise can use declarative administration, Apple additionally prolonged its performance, together with help for passcode configuration, enterprise accounts, and MDM-governed app set up.The passcode possibility is extra advanced than merely requiring a passcode of a sure sort. Passcode compliance is historically required for sure security-related configurations, equivalent to sending the company Wi-Fi configuration to a tool. In the declarative mannequin, these configurations may be despatched to the machine earlier than a passcode is ready. They are despatched together with the passcode requirement and embody an activation that can solely allow it as soon as the person creates a passcode that complies with that coverage. Once the person units a passcode, the machine will detect the change and allow the Wi-Fi configuration with a number of connections to the MDM service, enabling Wi-Fi instantly and notifying the service it has been activated.Accounts — which might embody issues equivalent to mail, notes, calendar, and subscribed calendars — operate equally. A declaration can specify all of the kinds of accounts supported inside the group in addition to all of the subscribed calendars. The machine will then decide — based mostly on the person’s account and function(s) inside the group — to activate and allow.MDM app set up is probably the most vital addition to declarative administration, since app set up is likely one of the duties that places probably the most load on an MDM and the most important bottleneck throughout mass machine activations (equivalent to a big onboarding of recent staff, new machine rollouts, or the primary day of faculty). A declaration can specify all of the potential apps to be put in and despatched to a tool at activation, even earlier than it has been handed to its person. Again, the machine will decide which app set up configurations to activate and make out there, based mostly on the person. This avoids every machine having to repeatedly question the service and obtain apps and their configurations. It additionally simplifies and quickens the method of enabling (or disabling) apps if a person’s function modifications.These are vital enhancements and it’s straightforward to see why they’re the primary additions to Declarative Management after its preliminary rollout. There are nonetheless MDM capabilities that haven’t made the leap to declarative use, however it’s apparent that ultimately – maybe as quickly as subsequent yr – they are going to.This is likely one of the most vital WWDC bulletins for enterprise and it’s good to see that Apple has been considerate in deciding which options so as to add or replace since most of them deal with areas that have been troublesome, time consuming, useful resource intensive, or tedious. Apple is not only addressing enterprise buyer wants, however demonstrating that it understands these wants.
Copyright © 2022 IDG Communications, Inc.