Once again, Apple virtualized its Worldwide Developer Conference (WWDC) and announced the fall release of iOS/iPadOS 15, macOS Monterey (12.0), and tvOS 15. This document will be your guide to all of the updates and any preparations to make for your organization's Workspace ONE environment.
The anticipated release timeline for these updates is likely similar to past years. This means it is reasonable to expect a mid to late September release for iOS/iPadOS 15 and tvOS 15, with macOS Monterey following shortly after in late September or early October.
All of Apple's WWDC sessions for this information are available at the Apple developer website and anyone with a valid Managed Apple ID can access Appleseed for IT which contains testing instructions and release notes for all new operating systems.
Declarative device management (DDM) will be the new way to deploy and manage Apple devices going forward. Starting with the fall 2021 OS releases, devices can be managed using the existing "imperative" management model or the new "declarative" management model. DDM will contain several improvements to the current management process.
It is important to note that DDM will only be available for User Enrolled devices in iOS 15 and macOS Monterey, but this will likely be expanded to other ownership modes in the future.
There will also be a dedicated Declarative Device Management knowledge base page that will be the hub for all dates, discoveries, and announcements that extend past the Fall 2021 releases. We will update this page with the link when it is available.
Through its declarative nature, DDM allows the on-device MDM client to perform asynchronous actions to apply settings, install resources, and report status to the MDM server (Workspace ONE UEM). This is different than the current management model where all actions and settings are driven by Workspace ONE UEM issuing commands during a device check-in.
All settings, apps, restrictions, updates, samples, and other MDM objects will still be admin created and "assigned" to Apple devices. However, Workspace ONE UEM will no longer be required to perform a set to ordered commands to achieve desired goals. This reduces the number of required commands for improved performance and reliability.
DDM will contain a few new objects that will allow admins to take advantage of the new protocol's behavior. Those new components are declarations, statuses, and extensibility. While Apple's developer session and VMware's EUC blog post will contain more information on these details, below is a summary of these objects and their correlation to MDM.
See the below example for installing an application.
The most important detail of DDM is that it is not replacing the current management model. Both the existing, "imperative" model and DDM are built on the same MDM framework, and both will continue to be supported by both Apple and Workspace ONE for the foreseeable future. Enrolled devices will not need to be re-enrolled to continue using their current management, and all existing management functionality will remain unchanged.
There should be zero impact to any currently enrolled devices or new iOS 15 or macOS Monterey enrollments. Existing apps, profiles, updates, and other management objects will continue to function normally.
The Workspace ONE team is hard at work to explore and implement the new DDM APIs into Workspace ONE UEM. This solution will likely be a multi-phase project taking place over many months of effort. Any released solutions will be made available first on our SaaS UAT tenants and published in our release notes and dedicated DDM knowledge base.
In their Improve MDM assignment of Apps and Books session, Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner. Similar to declarative management, we encourage those interested in learning more to watch the session on Apple's developer site.
These new APIs remove the need for Workspace ONE UEM to directly manage license IDs and register users/devices with multiple requests. The new set of endpoints is centralized around real-time notifications for state changes of assets (apps & books), assignments, and registered users.
Today, Workspace ONE UEM is required to constantly request any new license data from Apple's system and update our records. With the new real-time notifications, Workspace ONE UEM is able to subscribe to various events and react to their success or failure more intelligently. If an app or book's licenses are purchased, transferred or deleted, Apple's system will notify Workspace ONE UEM that this change occurred. This removes any need to query for these changes on a scheduled cadence which improves accuracy and performance of the overall system.
When associating licenses to devices or users, this process can fail or take several seconds to minutes to complete. This time is compounded if more than one license is associated to one or more device/user. This leads to delays or failures installing apps or arbitrary workarounds to avoid this error occurring. With real-time notifications, Workspace ONE UEM is notified upon the success of a license association. This means all app or book installations only take place when this association is successful thus reducing errors or unexpected delays.
The currently available APIs will remain functional for the foreseeable future so there should be no impact to existing or new deployments.
The Workspace ONE team is hard at work to digest and integrate with the newly available APIs. Any changes made as part of this integration should not require any admin action or loss of functionality.
User Enrollment was released in iOS 13 for BYOD devices to separate personal and work data on Apple devices using an enterprise identity called a Managed Apple ID. This process was driven by the MDM server sending an MDM profile to the device containing the Managed Apple ID of the user. The presence of this ID instructed the device to conduct a User Enrollment as opposed to the typical Device Enrollment.
With iOS 15 and iPadOS 15, Apple has added a new location for VPN and MDM configurations in Settings > General > VPN & Device Management. User Enrollment can be initiated on this page with the new "Sign In to Work or School Account". When the user inputs their Managed Apple ID, the OS takes the domain portion of the ID and derives a URL to kick off the enrollment process. For example, if the user input firstname.lastname@example.org, the device would reach out to a worldwideenterprises.com discovery server that would direct the device to its MDM server.
Check out more specifics on this in Apple's WWDC 2021 session.
Any devices already user enrolled will continue to function as normal with no admin interaction.
Yes. The previous method of User Enrollment will remain unchanged and can continue to be leveraged.
From a management perspective, there are no major differences between devices enrolled with either method once the device is enrolled. The only difference observed is the opportunity for ongoing authentication if the device is enrolled using the new account driven approach. This method allows the MDM server to check for authentication and re-authenticate whenever needed for added security.
The Workspace ONE team is actively working to support the latest changes in User Enrollment in our SaaS UAT tenants. Per Apple's announcement, it appears a discovery server for each Managed Apple ID domain is required. This likely means that each organization will need to host a discovery server of their own to direct devices to their Workspace ONE enrollment server.
There were several updates for iOS/iPadOS 15 specifically. They are detailed below.
In iOS 15, Workspace ONE has the option to declare a single application in the MDM profile as "required". This allows the declared app to always install silently as if the device were supervised. Any other app will continue to prompt the user to confirm the installation. Supervised devices will still suppress installation prompts for all applications and thus do not benefit from this capability.
The default application for this setting will be the Intelligent Hub app starting in a future release of Workspace ONE UEM. This means any device enrolling after this release and assigned the Intelligent Hub will silently install the Intelligent Hub instead of prompting for users.
|Restriction||Require managed pasteboard||If true, copy and paste functionality respects the managed open-in restrictions.||Link||---|
|Restriction||Force on device only translation||If true, the device won't connect to Siri servers for the purposes of translation. Available in iOS 15 and later.||Link||---|
|Restriction||Force on device only dictation||If true, disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later.||Link||---|
|Restriction||Allow unpaired external boot to recovery||If true, allows devices to be booted into recovery by an unpaired device. Requires a supervised device. Available in iOS 14.5 and later.||Link||---|
|Restriction||Allow Near-field communications (NFC)||Users can't use built-in NFC hardware in compatible devices running iOS 14.2 or later.||Link||---|
|Restriction||Allow auto unlock||With watchOS 7.4, users can't use their Apple Watch to unlock their paired iPhone running iOS 14.5. Available in iOS 14.5 or later.||Link||---|
|Setup Assistant||Skip unlock with Apple Watch||This skips the screen related to unlocking the device with the Apple Watch.||Link||---|
|Setup Assistant||Skip Accessibility||This skips the screen related to Accessibility.||Link||---|
|Certificate Revocation||Certificate revocation||Use the Certificates Revocation payload to revoke certificates on an iPhone or iPad. For example, an MDM administrator can create a list of certificates for revocation. Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. Available for iOS 14.2 and later.||Link||---|
|TV Remote||TV Device Name||Admins can provide a list of Apple TV device names be used to remove Apple TV device names in the remote widget. Available for iOS 15 and later.||Link||---|
|Software update settings||Recommendation cadence||Admins can provide users the option to update to iOS 15 or iPadOS 15 (the next latest major version), or to continue to update to newer versions of iOS 14 and iPadOS 14, even after iOS 15 and iPadOS 15 are released.
2: It will show the update path for the operating system with highest version number.
1: It will show the software update with the lower version number, if available.
0: It will show both options (the default).
|Shared device settings||Temporary session only||If true, the user only sees the Guest Welcome pane and can only log in as a guest user.If false, the user can sign in with a managed Apple ID (the existing behavior). This is available in iOS 14.5 and later and must be applied before users log in to the device.||Link||---|
|Shared device settings||Temporary session timeout||The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. This is available in iOS 14.5 and later and must be applied before users log in to the device.||Link||---|
|Shared device settings||User session timeout||The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. This is available in iOS 14.5 and later and must be applied before users log in to the device.||Link||---|
There were several updates for macOS Monterey 12.0 specifically.
|Restriction||Enforce a major macOS software update delay||Defer major macOS updates, such as macOS 12 for a period of time.||Link||---|
|Restriction||Enforce a minor macOS software update delay||Defer minor macOS updates, such as macOS 11.5 for a period of time.||Link||---|
|Restriction||Enforce a non-macOS software update delay||Defer a non-macOS software update delay, such as a supplemental update to be installed.||Link||---|
|Restriction||Allow erase all content and settings||Prevent users from using Erase All Content and Settings on their Mac.||Link||---|
|Setup Assistant||Skip unlock with Apple Watch||This skips the screen related to unlocking the device with the Apple Watch.||Link||---|
|Kernel Extensions||Allow non admin user approvals||Allow users who aren't local administrators to approve kernel extensions.||Link||---|
| Restart | Notify user | If true, notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at login window with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. This value is available in macOS 11.3 and later. | Link | --- | | Restart | Rebuild Kernel cache | If true, the system rebuilds the kernel cache during a device restart. This value is available in macOS 11 and later. | Link | --- | | Recovery Lock | Set Recovery Lock | Set the recoveryOS password. Available in macOS 12.0 and later. | Link | --- | | Recovery Lock | Verify Recovery Lock | Verify whether a recoveryOS password has been set. Available in macOS 12.0 and later. | Link | --- | | Device Information | Is Apple Silicon | Query whether the device is a Mac with Apple silicon. Available in macOS 12.0 and later. | Link | --- | | Device Information | Can install iOS apps | Install iPhone and iPad apps on a Mac with Apple Silicon from Apps and Books in Apple School Manager and Apple Business Manager. Available in macOS 11.3 and later. | Link | --- | | OS Updates | Max user deferrals | Specify the maximum number of deferrals, after which a forced update will occur. | Link | --- |
The only change to tvOS 15 is that Apple TVs will no longer broadcast their MAC address.
WWDC 2021 Videos
VMware EUC Blog