The following article is associated with a JumpCloud webinar on Monterey, the newest macOS. The presentation features Tom Bridge, Principal Product Manager for Apple Technologies at JumpCloud, and Bradley Chambers, Digital Marketing Manager at Cribl, and is hosted by Pam Lefkowitz, IT Columnist at JumpCloud. Watch the full webinar recording here.
If you’re an IT admin that manages Mac devices as part of your job, you likely spent the summer keeping a close eye on Monterey, the latest and greatest macOS update. Now that the weather is turning cooler here in the United States, and the beta testing period for Monterey is officially over, it’s time to update your devices (if you’re ready, of course).
While the thought of preparing for a massive macOS update may feel a little cringey, we’re here to help — and there’s a lot of new features in Monterey that are worth the effort to do so.
JumpCloud IT Columnist Pam Lefkowitz recently sat down with JumpCloud’s Principal Product Manager for Apple Technologies, Tom Bridge, and Cribl Digital Marketing Manager, Bradley Chambers, to discuss Monterey’s new features, and what they mean for IT admins.
Increased Pluggable Authentication Module (PAM) Security
To keep up with hackers’ ever-increasing skill sets, macOS Monterey comes with increased security changes, specifically around PAM.
“The biggest change [with Monterey] in security is that Apple expanded the gatekeeper modules and expanded the ability to touch individual files on the system across a couple of different platforms,” said Bridge.
With Monterey, the /etc/PAM.D folder has been added to the protected area of the OS, where you need a privacy control policy to make any changes.
“For example, If you’ve ever set your Mac touch bar to use your touch ID credential as part of pseudo privileges, you’ve messed around in /etc/PAM.D,” explained Bridge. “Now, Apple wants to make sure that anything that has changed in those folders is user-approved.”
How to Handle It
Including PAM in this version of macOS’s protected area can help you tighten up your enterprise’s security policy. But you have to make sure that whatever business apps you use on your Mac devices are permissioned to operate within protected areas in the new iOS too.
If you’re a JumpCloud user, you’re in luck. “At JumpCloud, we ensured our platform has permissions to operate within Monterey’s new protected areas. If you’re currently using JumpCloud for mobile device management (MDM), you don’t have to do anything — you’ve already been granted those permissions,” said Bridge.
If, however, you’re using a different directory platform, or you’re combining JumpCloud with
Jamf, Mosyle, MobileIron, or WorkSpace ONE, you’ll need to make sure you update your privacy control policies to include permissions for Monterey protected areas. We’ve written an article to walk you through this process: “Granting Permissions for Monterey Pluggable Authentication Modules (PAM).”
Chambers’ best advice for coping with the new security changes? Prevention. “We knew these changes were coming, that’s what the summer beta period is for,” he said. “Going forward, this approved way is really the only way to manage Apple devices, so next summer, pay attention to security updates and be proactive about testing solutions in advance.”
The Ability to Stop Users from Delaying Software Updates
Every IT admin has dealt with the one user who continually refuses OS updates, and until Monterey, there was no way to require them to be installed on users’ computers.
“At a previous organization, we had a user who was running a three-and-a-half-year-old macOS version, which means she had been clicking ‘install later’ for over 1,000 days,” said Bridge.
Now, with Monterey, you can use an MDM command to specify the number of times a user is able to defer an update. Once they’ve run out of deferrals, they get a prompt that asks them to enter their password and connect to a power source, and the update starts automatically.
This update isn’t as aggressive as Bridge was hoping. “There’s still circumstances that will prevent an update from being installed, so you’ll still have to encourage adoption to a certain extent,” he said.
How to Handle It
Use Monterey’s new prompts to pressure users into updating sooner rather than later. While excuses for not updating regularly are many, Chambers suggests it’s not so much about not wanting a new OS as it is about not wanting to have to stop work to install and restart. But IT admins know that running the latest version of OS is critical for security.
To make OS updates a little more painless, use an MDM to approve authenticated restarts, so users can schedule the update at the end of the day (“install later”), leave work, and when they return in the morning, their system is updated and ready to go with minimal downtime.
New “Erase All Contents and Settings” Feature
“With this update, [resetting a computer for a new user] takes 60 to 120 seconds. Seconds, not minutes. It turns a 60-minute task into about a three-minute task.”Tom Bridge, Principal Product Manager for Apple Technologies at JumpCloud
Monterey comes with a new content erasing option that could solve a huge headache for remote workforces, when IT admins have to commission and decommission machines deployed through zero-touch.
Instead of having to try to walk the user through how to securely erase the machine before they ship it back, now you can erase the device and all the user and company data without having to reinstall the operating system.
“If you are trying to turn a machine around for a new user, that used to require a whole lengthy wipe and reinstalling the operating system, which takes 45 to 60 minutes on average,” Bridge said. “With this update, that process takes 60 to 120 seconds. Seconds, not minutes. It turns a 60-minute task into about a three-minute task.”
How to Handle It
Rejoice! Managing device data for a remote workforce just got easier than ever before. This setting has both Bridge and Chambers’ vote for the most exciting update Monterey offers.
“This is the feature that admins have been asking for for a decade,” said Bridge. “And ever since it came to the iPhone, the ability to rapidly reprovision a Mac and get it ready for the next person is nothing short of astonishing.”
Chambers agreed. “I think this is my favorite part of MacOS Monterey. And I think it’s fundamentally something that’s going to impact the most IT professionals after this release.”
The Introduction of Apple Configurator for iOS
For the first time, Monterey introduces Apple Configurator for iOS. Apple admins now have the ability to use an iPhone to add devices to Apple Business Manager that have been purchased outside of the business’s standard purchasing relationships.
A fleet manager with an iPhone equipped with Apple Business Manager can use the Configurator app to pair the phone and computer over Bluetooth. The phone can then prompt the computer to become an Apple Business Manager device.
“This update makes it easy for organizations to add to their fleets for automated device enrollment, and gives enterprises the ability to purchase pre-owned Macs and enroll them in Apple Business Manager,” said Bridge.
How to Handle It
Using a configurator for a new Macbook does require an iOS phone. It doesn’t work Mac to Mac, or Mac to iPad. It also requires an account that has device manager permissions in Apple Business Manager, and it uses a managed Apple ID.
“There are also limitations on what kind of Macs can be joined to Apple Business Manager,” said Bridge. “It needs a T2 or Apple Silicon security chip (machines from 2016 and later) in order to complete the enrollment process.”
New “Focus” Modes
“Do not disturb” (DND) used to be Apple’s only quiet-hours mode. Monterey changes that, offering configurable modes where you can filter which notifications you receive and which you don’t. And if you’re signed into both your computer and your phone with the same Apple ID, your chosen focus mode will carry throughout your devices.
“If you put ‘do not disturb’ on your iPhone, or put it into work mode or productivity mode, those focus settings will apply to your Mac workstation as well as your iOS workstation. It’s one trigger across all your devices, and that’s exciting,” Bridge said.
Monterey’s Focus Mode lets you specify exactly which notifications can get through, like leaving notifications on for work apps but silencing personal text messages. You can also set it to turn on when you arrive at certain places, or begin using a certain application.
“I love that I can ‘set it and forget it,’” said Lefkowitz. “I love the ability to configure who I receive notifications from or silence apps that annoy me. The specification between app or person, the granularity is beautiful.”
Chambers agrees. “[The mode] actually helps you focus, because even if you are in focus mode, you’re not worrying that you’re missing important information from key people because they can be configured to get through,” said Chambers.
How to Handle It
Configure a custom focus mode where you mute certain apps and notifications, only allowing push notifications from specific platforms or people. You may have to tweak the settings a little over time, but once you’ve set the right DND and allowances, the investment will pay off. For step-by-step directions on setting up Focus Mode, check out AppleInsider’s tutorial.
Note: Focus Mode is an ongoing update. “[Whether or not Apple continues developing Focus Mode] depends on how many people actually use it, because Apple keeps really tight control over how many people are using their newly deployed features, and they make resource decisions based on that info,” said Bridge. “So if you’re a fan of this feature, use it. It may not do everything you need it to do today, but it shows Apple that you’ve got a commitment to making it right for the long term.”
Right now, if you set up your iPad next to your Mac, they’re two separate devices with no common way of sending data back and forth. With Monterey’s new universal control feature, you can edit a podcast on your iPad and then just drag and drop the file directly to your Mac, and continue editing.
“For all of the folks out there who are living and dying between multiple devices, universal control will be a way for you to control all devices seamlessly with a single keyboard and mouse,” Bridge said. “Your mouse cursor can just slide off the left-hand side of your Mac and end up on the right side of your iPad, even if your iPad doesn’t have a touch cursor attached to it.”
How to Handle It
For now, just be patient, because this feature isn’t ready for the spotlight quite yet. Universal control is a later version release. It’ll be out in 15.1 for iOS and 12.1 for macOS.
But Wait…There’s More
At JumpCloud, we know firsthand the headache new OS updates can cause in an enterprise organization. But the new updates and functionalities macOS Monterey brings are worth the time and energy it takes to prepare and help roll them out.
While we highlighted six of the biggest updates in this article, there’s way more macOS Monterey can do for you — and your organization. To learn about new shortcuts and privacy settings, live text, “hide my email,” and more, check out the full webinar here.