At its annual WorldWide Developers Conference (WWDC) earlier this month, Apple offered its first preview of iOS 11, which ships this fall and has tremendous potential for enterprise iPad and iPhone deployment. With major enhancements for the iPad Pro, Apple has finally delivered a tablet that can replace a laptop or desktop for the vast majority of users. As a result, iOS 11 will likely drive more adoption of the iPad in enterprise environments.
That new iOS comes with new management features, also highlighted at WWDC, that build on the enterprise features Apple introduced earlier this year in iOS 10.3. Although the public beta of iOS 11 arrived yesterday, meaning a lot of early-bird adopters have it already, I'll focus here on what's coming officially this fall.
DEP for everyone
One of the biggest coming changes involves the enrollment, configuration, and deployment of organization-owned devices using Apple's Device Enrollment Program (DEP). Previously, only devices purchased directly from Apple or certain authrorized resellers could be configured and managed with DEP, which allows for zero-touch configuration. Apple now allows DEP management to be applied to any device, regardless of purchase. This is huge news for organizations that have devices purchased elsewhere or who use other resellers for their technology purchases.
Note: DEP can permanently link a device to an organization. To address accidental enrollment of a device, DEP supports a 30-day provisional period for enrollent, meaning the device can be dropped from the list if need be.
DEP is designed only for organization-owned devices that will be heavily managed as Supervised devices, which means that there's an expanded series of management options available for use with them. (That program is not designed for BYOD or mixed-use devices.) These tend to be used in situations where security is key; safe restrictions are needed; or pre-configuration is important. It's also designed for shared devices, where multiple people might use the same device, and for kiosk-like situations. Supervision (aka Supervised devices) is an expanded device management option that Apple provides for devices owned by an organization -- not BYOD or mixed work/personal devices.
Pushing out iOS updates
For Supervised devices, it's now possible to push out updates automatically -- even if the device is locked. That option was already available, but it required the device to be unlocked. This ensures that devices receive critical updates, particularly those with security updates and changes.
It would still be nice to have more control over updates, however, because users can still intiate updates on their own -- with or without IT testing or guidence. That control would prevent employees from launching an update before a company is ready, potentially avoiding post-update problems.
Conserving bandwidth
iOS 10.3 introduced the ability use a Mac to manage updates and conserve Wi-Fi resources by caching updates and other content and then pushing it to USB-connected devices. iOS actions using this feature also route all network connections to a Mac's ethernet connection. iOS 11 builds on this by allowing device management comands to only execute if they have a wired connection. (This applies to Macs as well as iOS devices). Although many commands won't generate a large network load, some updates can.
VPN configuration
iOS 10.3 added the ability to whitelist only specific wireless networks that devices could connect (a Supervision-only feature). There are now similar controls for VPNs.
Education and Apple School Manager
Apple also updated the Apple School Manager app used to configure K-12 school deployments. The biggest changes include deeper integration with Apple's Volume Purchase Program for buying apps and ebooks in bulk and more streamlined license management. Apple School Manager also got a facelift and additional management capabilities.
Apple TV grows up
In addition to working with iOS, device enrollment, deployment and management now extends to tvOS. Apple began building this out in iOS 10.3 but has refined it with additional management of the tvOS experience. The specific controls include installed tvOS apps, the home screen layout and content ratings.
Supervised mode gets all the love
Apple has been making most of the new iOS management capabilities available only to supervised devices, which means that BYOD and mixed devices have less management capabilities than dedicated company-owned phones and tablets. In addition to that trend, the company is now planning to make several existing features Supervised only.
Previously, Apple had been mum on when these features would shift away from BYOD and mixed-use devices. Now we know: the company has announced that will happen next year. The management features being shifted to Supervised-only include restrictions on app installation, app removal, FaceTime, Safari, iTunes, explicit content, iCloud documents and data, multiplayer gaming and adding GameCenter friends.
All of these changes mean organizations that have implemented these features on non-Supervised devices need to reconsider their management options and even policies such as acceptable use. It also means that IT admins should plan a program of user education around the policies that were previously enforced, particularly those involving security.
Prepping for iOS 11
Since Apple doesn't allow IT to block users from updating iOS on their devices, its imperative to be prepared to support iOS 11 the day it's released. That means joining Apple's Developer Program (if your organization hasn't already), downloading and testing each developer beta build, which follow a different cadence than the public beta. For more information on device management, check out the video of the What's New in Device Configuration, Deployment, and Management session from WWDC and Apple's resource guides.