Though it didn't make the WWDC keynote, Apple did unveil some changes to the device management features used by business and schools for iPhones, iPads, Macs, and even Apple TVs. Those tweaks and updates were discussed at a developer session that took place earlier this month, and they highlight areas IT admins should be focusing on now before the arrival of iOS 12 and macOS Mojave this fall.
Apple Business Manager arrives
One fairly new option that's already available in this area is the Apple Business Manager, which was unveiled in the spring and went live to U.S. customers earlier this month. (It is now available in 34 countries, with more expected to be added this summer.)
Apple Business Manager builds on Apple's existing systems for mass activation, configuration and deployment of Apple devices. The solution makes it possible - even easy - to enroll and configure Macs, iOS devices and Apple TVs automatically without IT departments ever needing to touch the devices. The two existing systems that underlie Apple Business Manager are Apple's Device Enrollment Program (DEP) and its Volume Purchase Program (VPP), including the Managed Distribution options for app deployment.
Two things Apple Business Manager doesn't do
First and foremost, it doesn't replace MDM (mobile device management) or EMM (enterprise mobility management) solutions on the market. Apple Business Manager exists to streamline the on-boarding of corporate devices so they can be enrolled in an existing management solution. Since it doesn't enroll devices not purchased by a company, it sits outside the realm of BYOD devices.
Apple, in fact, seems to have turned its focus away from BYOD over the past few years.
Secondly, Apple Business Manager doesn't enable multi-user iOS devices. One of the major features of Apple School Manager and its Classroom app, was its support for shared iPads in schools where a one-iPad-per-student wasn't feasible. This Shared iPad feature allows student work, including device and app states, to be saved to the cloud after a class and reloaded the next time a student log ins. That effectively turns the iPad into a multi-user device with a profile that is applied each time a student uses it.
When Apple introduced these features two years ago, many Apple watchers (including me) assumed this shared device capability would eventually move to enterprise environments and potentially even into homes. So far, it has remained in the K-12 education market only. It's possible that Apple may migrate this capability over at some point, but it hasn't done so yet.
EMM controls that will disappear for BYOD devices
Apple noted that several controls currently available for all managed devices are deprecated on those that are not just managed, but supervised, too. Supervised devices are those owned and tightly managed by a business using a superset of tools that go beyond the management features available to all devices – most notably BYOD hardware owned by employees or contractors.
In effect, Apple is reiterating a change originally announced at WWDC in 2017. While it expected to move a number of controls to supervised devices this year (see list below), it's delaying the move until 2019 after feedback from enterprise customers who aren't ready with alternatives.
Apple, the company whose products largely created and drove the BYOD movement, seems to be moving away from that BYOD model and downplaying the benefits of allowing employees to use their own devices; instead, Apple is encouraging companies to purchase devices themselves.
This makes a certain degree of sense: some heavy-handed controls really aren't appropriate got personal devices and Apple - largely a hardware company - stands to gain sales by pushing direct sales to companies.
Here is the list of controls being removed from management capabilities across all Apple-compliant EMM/MDM vendors: restrictions on app installation and removal; FaceTime, Safari and iTunes access; explicit content limitations; iCloud documents and data management; multiplayer gaming use; and adding GameCenter friends. Note: in some instances, particularly for macOS devices, other software to lock down devices can fill the gap.
Managing automatic software updates
One of the challenges IT departments have faced with iOS is that they cannot control the software update process. When a new version of iOS becomes available, users can download and install immediately. This requires IT admins to be aware of any potential ways iOS upgrades could affect their environments. To date, IT's primary option for getting users to delay an update has been user engagement - alerting everyone to a potential problem (and hoping people listen and hold off).
Apple's move to make system updates happen automatically without any user action needed means even this tenuous option could go by the wayside. This auto-update tactic becomes a double-edged sword. It's good that security improvements will get out faster to more devices but IT admins may not get sufficient time to vet the updates before they're installed automatically.
Apple has actually recognized the issue and introduced the concept of Managed Software Updates, which allows IT departments to block updates. The downside: the feature is limited to Supervised devices. Still, it is a major concession on Apple's part. It's also worth noting that this feature is available now to devices running iOS 11.3 or higher as well as iOS 12, which will be released this fall.
New controls for the latest security and privacy features
Apple typically provides new management options for some new features in iOS, macOS, and tvOS. This year is no exception. With Apple headlining privacy and security concerns in this year's upgrades, it's no surprise that its device management additions relate to how those features play in enterprise and education environments. They include:
- Enforcing automatic data and time on supervised devices;
- Requiring enhanced Smartcard access;
- Requiring OAuth for managed Exchange accounts;
- Restricting password autofill proximity sharing on supervised iOS and on macOS;
- Using commands to install public apps and tvOS updates on Apple TV;
- Allowing Approved Kernel Extension Loading (delivered in macOS High Sierra as well as Mojave);
- Enabling USB Restricted mode for iOS devices;
- Adding controls for how notifications are handled.
Apple also highlighted some of the changes it announced earlier this spring for iOS 11.3 and higher (including iOS 12).
- The ability to defer OS updates for Supervised devices (and to designate a specific OS version);
- More control over ratings in iOS and tvOS; Controls over pairing the Apple TV remote app;
- Limits on turning Bluetooth on or off.
There are two other changes Apple has rolled out that will allow IT to better manage macOS and iOS devices.
User-approved MDM enrollment for Macs. This process asks Mac users to decide whether their computers can be enrolled in additional management options. It functions much like Supervision of iOS devices. In practice, Macs that have been deployed already with management oversight and running 10.13.4 will automatically be considered User Approved (as well DEP enrolled) Macs. Apple lists User Approved as a requirement for the ability to leverage Approved Kernel Extension Loading. Apple will likely expand what falls into this category over time, much as it has with iOS Supervision.
Skipping setup assistant steps with DEP. The following panes in Setup Assistant can be pre-configured and skipped during a first use of a device, simplifying the user setup experience and potentially heading off support calls or other IT interactions: iMessage, FaceTime, Screen Time and Software Update.
A word about macOS Server
One thing that Apple hasn't provided is a true replacement of macOS Server. As I noted earlier this year, Apple has deprecated virtually all of its server platform features. Apple's suggestions for administrators are to use open-source solutions, on which the features were based to begin with and which can run on macOS; using the same services running on macOS machines (File Server, Caching Server, and Time Machine Server fall into this category); or find alternates. To date, several services can still run on macOS Server but Apple plans to remove them in an update this fall. That gives organizations some additional time to consider options. (Apple provides open source and commercial software options in its notes about the future of the platform.)
For many organizations, the ideal solution will be to migrate to various cloud options rather than running services natively in their own networks. Given that small businesses make up a large percentage of macOS Server deployments, this could be challenging. But it does let them shift to a more streamlined and supportable set of cloud solutions as opposed to an on-premise infrastructure.
It's worth noting that Apple will continue to support some key pieces of macOS Server. This includes Open Directory, Apple's LDAP-based central user/computer account management and authentication solution; Profile Manager, the web-based Mac and iOS management component; and Xsan, Apple's clustered file system for macOS.
All in all, Apple's changes to device management are incremental this year and focus on finessing the company's role in the business world. But there are significant enough changes that IT departments should use the next few months to test the coming changes within their environments, including getting some help from early adopters within their companies.