Every year in June, Apple admins hold their breath for the annual release of macOS and iOS. WWDC is a week of amazing sessions that define the coming year, announce new features, and preview technologies that will be at the core of managing Apple’s platform inside your organization. Sure, there are new features for iMessage, new emojis, a new way to share a watch party with your friends, and a way to control your iPad with your Mac, and those are incredible things.
This year, though, the future is now.
Apple admins have a lot to look forward to with the fall release of macOS 12 Monterey and iOS 15. From new management features like Erase All Contents & Settings in macOS, to a whole new extension of the MDM protocol called Declarative Management for iOS, and a brand new User Enrollment flow for Bring Your Own Device (BYOD) workplaces, there’s a lot to like in the haul out of Cupertino so far. Let’s break it down by platform, in terms of what Apple admins should be looking forward to.
macOS 12 Monterey
One of the most time-consuming tasks that admins face is the return-to-service workflow to take a computer from one user, clean it up, and get it back in action again for its next person. On an Intel Mac, that could take 45-60 minutes using the `–eraseandinstall` flag on the macOS Installer remotely, or hands on it could take about that using a fast internet connection and RecoveryOS.
What if it took 5 minutes, instead?
That’s the promise of Erase All Contents & Settings, a new feature of macOS Monterey. For Macs with T2 or M1 chips, admins will have the ability via an MDM command or on-device process to just wipe out the user data and applications on a Mac and start fresh. Currently in beta 1, this process clocks at 5 minutes before you’re returned to the Setup Assistant, ready to start again.
This is the quality of life update that Apple admins needed to help fix a major problem in their admin flows. But that wasn’t Apple’s only fix. The macOS software update mechanism has been a source of headaches for Mac admins since 10.15.4 released a few changes to the behaviors around authenticated restarts, which led to decreased adoption of new point releases. The complexity of the new volume owner structure in Apple silicon-based Macs has also contributed to admin frustration in this regard.
In macOS Monterey, there is a new set of MDM commands and profile settings that should help admins out of a pickle. In previous releases, you were given just a few options to help keep your fleet up to date: you could issue a blanket delay on updates for a period of time to allow for testing, and you could lift that delay. If you wanted your users to update, you had to ask them, beg them, and cajole them to do it. You could use the MDM command to InstallASAP, but the result is lost work and angry coworkers.
As a result, in macOS Monterey, there are some changes that are welcome: You will be allowed to both set a number of deferrals that a user can use to push back their own update, and then also enforce an update after a given number of deferrals. As Apple is using InstallLater to do this, it will cause the machine to update at night, silently and automatically, while your coworkers are away from their work machines. Make sure to provide your coworkers enough time to plan for updates during busy times, but not so much time that they defer long enough to get hit with a zero day attack.
Provisional Enrollment Comes to macOS
Since iOS 11, Apple has supported the ability for Apple admins to provisionally enroll any iOS device, regardless of purchase method, into Apple Business Manager and associated Automated Device Enrollment workflows for an organization. It allows admins to take a device that was purchased through non-standard methods and apply standard controls going forward. What was missing was a way to do this for Mac devices. Any Mac not purchased through proper channels was left on an island, and this was highly inconvenient for Apple admins.
This week, Apple announced a new version of their Apple Configurator app for iPhones running iOS 15. In their session on managing devices with Apple Configurator, they demonstrated a new iOS app for iPhones running iOS 15. This new application will allow an admin signed into Apple Business Manager with Device Manager permissions to enroll any T2 or M1 Mac at the Setup Assistant. The Configurator app will allow an admin to apply Wi-Fi profiles – including networks that use Enterprise Authentication – to the device at the login screen, and bind it to their Apple Business Manager account.
This new enrollment tool will provide a provisional enrollment for the macOS device, which is removable by an admin on the device for up to 30 days in order to prevent abuse. At the end of that 30 days if the enrollment remains, the device is now bound to Apple Business Manager going forward, and all future enrollments will conduct a standard Automated Device Enrollment. This new application will go live in the App Store this fall, and admins can test it via TestFlight, or by downloading it from AppleSeed for IT later in the beta cycle.
iOS 15 and Declarative Management
Coming new to iOS 15 is the concept of Declarative Management for User Enrollment. Apple’s MDM protocol has been reactive, meaning that devices react to commands driven by the MDM solution provider. Devices receive commands and impose policies, but have no concept of the complete desired state of the device. This means that missed commands and policies have no way of being brought back into the fold except through periodic refreshes. For large numbers of devices, this can be a very compute-intensive process for your MDM, and it shouldn’t have to be that way.
As such, Apple has declared that “the future of device management is declarative management”. Declarative management allows Apple devices to be provided a desired state, conditions around that state, and dependencies to ensure that all activations within a declaration are in place before they are activated on the device. This would mean that you could specify a series of accounts, credentials, certificates and policies, and only when all the data is present, the device is considered ready to activate those accounts and turn everything on for the end user.
Declarative Management is limited to iOS User Enrollment in iOS 15, but expect this to make its way to other platforms and enrollment types in the future. There is much to like about this new declared state management, allowing MDM servers to describe the correct configuration to the device, and letting the device handle the implementation. There are some technical implementation details that will allow service providers to offload content details to content delivery networks well-suited to manage large numbers of clients checking in for data heavy resources without having to talk to the policy server directly.
This new model addresses complaints of MDM administrators concerning the lack of a full device picture of what management to apply, as well as the ability of admins to “pre-load” new restrictions for future versions of the OS before the OS is available commercially to prepare field devices without having to detect on-device upgrades and re-issue profiles. In this fashion, admins could pre-deliver configurations gated behind a predicate for that version, so that the device doesn’t attempt to install a restriction the OS won’t interpret and will ignore.
iOS 15 and New User Enrollment
In addition to Declarative Management, Apple has announced a new version of User Enrollment for iOS 15. Much like the previous version, you need a Managed Apple ID provided by your business and owned by your business. In addition, you get a separate cryptographic container on your iOS device to handle your work data separately from your personal data, and your admin can only control that little piece of your device. In the new version, though, before the user can request their enrollment profile, you can require authentication against an onboard MDM service, or against your IdP, and then and only then let them download their MDM Enrollment profile. At that point, they have to sign in with their Managed AppleID.
This new method of requiring authentication can also be set to periodically require the user to authenticate again in order to prove they are still a valid user that’s part of the organization. Should a periodic check fail, the enrollment could be removed by the MDM, along with any managed applications and data sources, or just a few key profiles could be removed until the user re-authenticates successfully.
The Future Begins Now
For years, Apple admins have been looking forward to a time when they could declare stateful management on devices, and that begins with User Enrollments in iOS 15. In addition, macOS Monterey brings needed improvements to software update management and return-to-service workflows for Apple admins. And that’s all before we get to major improvements in Apple Maps, collaborative technologies like SharePlay and Universal Control and the new Focus modes that are present in macOS Monterey and iOS 15.
The beta cycle for Apple operating systems gives Apple admins a chance to review their current workflows to make sure they match expectations, as well as give admins a chance to test new features and find new ways of working with cool new innovations inside Apple’s products. This is a great time to evaluate what you’re doing in your organization for usability, functionality and fit, and provide Apple feedback for what would make this work even better for your organization. Admins should take advantage of the AppleSeed program for IT in order to get the betas on testing devices inside their fleets, and begin to check out the future for themselves.
The future begins now. Let’s get a head start on it, together.
JumpCloud’s Vision for Enterprise Mac Management
As a comprehensive IT management solution, JumpCloud is committed to aligning our work with Apple’s device management best practices. Apple’s APIs were used to build our MDM feature before it was required by Big Sur, and admins using our platform can rest assured knowing their Mac management solution will continue to stay up-to-date with Apple’s new releases. Additionally, our MDM functionality is completely free for 10 devices or less, which makes it a highly accessible option for startups.
A major theme we saw come out of WWDC this year was the simplification of onboarding, enrollment, and Apple device lifecycle management. The JumpCloud Directory Platform takes this a step further by unifying identity and device management, which allows admins to simplify their onboarding workflows even further with comprehensive user management and control over access to virtually every IT resource. This enables fully remote, Zero-Touch deployment and management of Apple devices for a distributed workforce.
All of us Apple lovers know that the presence of Macs is ever-increasing in the workplace. As a system-agnostic solution, JumpCloud allows for the seamless integration of traditional Windows device management with both Mac and Linux machines. Admins using JumpCloud get to remotely manage their heterogeneous environments from a single consolidated admin console. To learn more about managing Macs specifically within a JumpCloud-driven IT environment, checkout our guide: How to Secure & Manage macOS Devices Remotely with an MDM.