Once again, Apple virtualized its Worldwide Developer Conference (WWDC) and announced the fall release of iOS/iPadOS 15, macOS Monterey (12.0), and tvOS 15. This document will be your guide to all of the updates and any preparations to make for your organization's Workspace ONE environment.

The anticipated release timeline for these updates is likely similar to past years. This means it is reasonable to expect a mid to late September release for iOS/iPadOS 15 and tvOS 15, with macOS Monterey following shortly after in late September or early October.

All of Apple's WWDC sessions for this information are available at the Apple developer website and anyone with a valid Managed Apple ID can access Appleseed for IT which contains testing instructions and release notes for all new operating systems.

Declarative Device Management

Declarative device management (DDM) will be the new way to deploy and manage Apple devices going forward. Starting with the fall 2021 OS releases, devices can be managed using the existing "imperative" management model or the new "declarative" management model. DDM will contain several improvements to the current management process.

It is important to note that DDM will only be available for User Enrolled devices in iOS 15 and macOS Monterey, but this will likely be expanded to other ownership modes in the future.

There will also be a dedicated Declarative Device Management knowledge base page that will be the hub for all dates, discoveries, and announcements that extend past the Fall 2021 releases. We will update this page with the link when it is available.

What is DDM?

Through its declarative nature, DDM allows the on-device MDM client to perform asynchronous actions to apply settings, install resources, and report status to the MDM server (Workspace ONE UEM). This is different than the current management model where all actions and settings are driven by Workspace ONE UEM issuing commands during a device check-in.

All settings, apps, restrictions, updates, samples, and other MDM objects will still be admin created and "assigned" to Apple devices. However, Workspace ONE UEM will no longer be required to perform a set to ordered commands to achieve desired goals. This reduces the number of required commands for improved performance and reliability.

DDM will contain a few new objects that will allow admins to take advantage of the new protocol's behavior. Those new components are declarations, statuses, and extensibility. While Apple's developer session and VMware's EUC blog post will contain more information on these details, below is a summary of these objects and their correlation to MDM.

  • Declarations
    • Declarations take the form of 4 types: Configurations, Assets, Activations, and Management.
    • Configurations are similar to Profiles in Workspace ONE UEM. They configure things like email, settings, and restrictions.
    • Assets contain reference data such as the user's identity. Configurations can reference assets. This means that if an asset needs to be updated, it will automatically update all associated configurations.
    • Activations are collections of configurations that can be given pre-requisites to be installed. For example, an activation can be made to only install a certain restriction if the device type is iPad.
    • Management declarations contain general information such as organization details and access rights.
  • Statuses
    • Device will report statuses to Workspace ONE automatically on change in status
    • For example, if a device updates to a new version of iOS or an app is deleted, this information is automatically sent to Workspace ONE rather than waiting on the server to query the device.
    • MDM servers must subscribe to this channel and have appropriate permissions.
  • Extensibility
    • MDM server and devices can report their supported functionality.
    • This will allow MDM servers to handle which actions to take on which devices regardless of hardware, software, or Workspace ONE version.

See the below example for installing an application.

Current:

Declarative (New!):

What isn't DDM?

The most important detail of DDM is that it is not replacing the current management model. Both the existing, "imperative" model and DDM are built on the same MDM framework, and both will continue to be supported by both Apple and Workspace ONE for the foreseeable future. Enrolled devices will not need to be re-enrolled to continue using their current management, and all existing management functionality will remain unchanged.

How will DDM impact my deployment day 1?

There should be zero impact to any currently enrolled devices or new iOS 15 or macOS Monterey enrollments. Existing apps, profiles, updates, and other management objects will continue to function normally.

How can I trial DDM in my Workspace ONE environment?

The Workspace ONE team is hard at work to explore and implement the new DDM APIs into Workspace ONE UEM. This solution will likely be a multi-phase project taking place over many months of effort. Any released solutions will be made available first on our SaaS UAT tenants and published in our release notes and dedicated DDM knowledge base.

ABM/ASM Apps & Books Improvements

In their Improve MDM assignment of Apps and Books session, Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner. Similar to declarative management, we encourage those interested in learning more to watch the session on Apple's developer site.

These new APIs remove the need for Workspace ONE UEM to directly manage license IDs and register users/devices with multiple requests. The new set of endpoints is centralized around real-time notifications for state changes of assets (apps & books), assignments, and registered users.

Today, Workspace ONE UEM is required to constantly request any new license data from Apple's system and update our records. With the new real-time notifications, Workspace ONE UEM is able to subscribe to various events and react to their success or failure more intelligently. If an app or book's licenses are purchased, transferred or deleted, Apple's system will notify Workspace ONE UEM that this change occurred. This removes any need to query for these changes on a scheduled cadence which improves accuracy and performance of the overall system.

When associating licenses to devices or users, this process can fail or take several seconds to minutes to complete. This time is compounded if more than one license is associated to one or more device/user. This leads to delays or failures installing apps or arbitrary workarounds to avoid this error occurring. With real-time notifications, Workspace ONE UEM is notified upon the success of a license association. This means all app or book installations only take place when this association is successful thus reducing errors or unexpected delays.

How will these changes impact my organization?

The currently available APIs will remain functional for the foreseeable future so there should be no impact to existing or new deployments.

The Workspace ONE team is hard at work to digest and integrate with the newly available APIs. Any changes made as part of this integration should not require any admin action or loss of functionality.

Account driven User Enrollment in iOS 15

User Enrollment was released in iOS 13 for BYOD devices to separate personal and work data on Apple devices using an enterprise identity called a Managed Apple ID. This process was driven by the MDM server sending an MDM profile to the device containing the Managed Apple ID of the user. The presence of this ID instructed the device to conduct a User Enrollment as opposed to the typical Device Enrollment.

With iOS 15 and iPadOS 15, Apple has added a new location for VPN and MDM configurations in Settings > General > VPN & Device Management. User Enrollment can be initiated on this page with the new "Sign In to Work or School Account". When the user inputs their Managed Apple ID, the OS takes the domain portion of the ID and derives a URL to kick off the enrollment process. For example, if the user input jdoe@worldwideenterprises.com, the device would reach out to a worldwideenterprises.com discovery server that would direct the device to its MDM server.

Check out more specifics on this in Apple's WWDC 2021 session.

How will this impact my current User Enrolled devices?

Any devices already user enrolled will continue to function as normal with no admin interaction.

Will the previous User Enrollment method released in iOS 13 still work?

Yes. The previous method of User Enrollment will remain unchanged and can continue to be leveraged.

Is there any difference between devices enrolled with the original vs account driven method?

From a management perspective, there are no major differences between devices enrolled with either method once the device is enrolled. The only difference observed is the opportunity for ongoing authentication if the device is enrolled using the new account driven approach. This method allows the MDM server to check for authentication and re-authenticate whenever needed for added security.

How can I see and adopt the new account driven User Enrollment?

The Workspace ONE team is actively working to support the latest changes in User Enrollment in our SaaS UAT tenants. Per Apple's announcement, it appears a discovery server for each Managed Apple ID domain is required. This likely means that each organization will need to host a discovery server of their own to direct devices to their Workspace ONE enrollment server.

iOS 15

There were several updates for iOS/iPadOS 15 specifically. They are detailed below.

Required App

In iOS 15, Workspace ONE has the option to declare a single application in the MDM profile as "required". This allows the declared app to always install silently as if the device were supervised. Any other app will continue to prompt the user to confirm the installation. Supervised devices will still suppress installation prompts for all applications and thus do not benefit from this capability.

The default application for this setting will be the Intelligent Hub app starting in a future release of Workspace ONE UEM. This means any device enrolling after this release and assigned the Intelligent Hub will silently install the Intelligent Hub instead of prompting for users.

Profiles

Payload Key Description XML Support
Restriction Require managed pasteboard If true, copy and paste functionality respects the managed open-in restrictions. Link ---
Restriction Force on device only translation If true, the device won't connect to Siri servers for the purposes of translation. Available in iOS 15 and later. Link ---
Restriction Force on device only dictation If true, disables connections to Siri servers for the purposes of dictation. Available in iOS 14.5 and later. Link ---
Restriction Allow unpaired external boot to recovery If true, allows devices to be booted into recovery by an unpaired device. Requires a supervised device. Available in iOS 14.5 and later. Link ---
Restriction Allow Near-field communications (NFC) Users can't use built-in NFC hardware in compatible devices running iOS 14.2 or later. Link ---
Restriction Allow auto unlock With watchOS 7.4, users can't use their Apple Watch to unlock their paired iPhone running iOS 14.5. Available in iOS 14.5 or later. Link ---
Setup Assistant Skip unlock with Apple Watch This skips the screen related to unlocking the device with the Apple Watch. Link ---
Setup Assistant Skip Accessibility This skips the screen related to Accessibility. Link ---
Certificate Revocation Certificate revocation Use the Certificates Revocation payload to revoke certificates on an iPhone or iPad. For example, an MDM administrator can create a list of certificates for revocation. Specifying a certificate authority (CA) enables revocation checking for all certificates chaining up to that CA. Available for iOS 14.2 and later. Link ---
TV Remote TV Device Name Admins can provide a list of Apple TV device names be used to remove Apple TV device names in the remote widget. Available for iOS 15 and later. Link ---

Commands

Module Command Description XML Support
Software update settings Recommendation cadence Admins can provide users the option to update to iOS 15 or iPadOS 15 (the next latest major version), or to continue to update to newer versions of iOS 14 and iPadOS 14, even after iOS 15 and iPadOS 15 are released.
2: It will show the update path for the operating system with highest version number.
1: It will show the software update with the lower version number, if available.
0: It will show both options (the default).
Link ---
Shared device settings Temporary session only If true, the user only sees the Guest Welcome pane and can only log in as a guest user.If false, the user can sign in with a managed Apple ID (the existing behavior). This is available in iOS 14.5 and later and must be applied before users log in to the device. Link ---
Shared device settings Temporary session timeout The timeout, in seconds, for the temporary session. The temporary session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. This is available in iOS 14.5 and later and must be applied before users log in to the device. Link ---
Shared device settings User session timeout The timeout, in seconds, for the user session. The user session logs out automatically after the specified period of inactivity. The minimum value is 30 seconds. Setting this value to 0 removes the timeout. This is available in iOS 14.5 and later and must be applied before users log in to the device. Link ---

macOS Monterey 12.0

There were several updates for macOS Monterey 12.0 specifically.

Profiles

Payload Key Description XML Support
Restriction Enforce a major macOS software update delay Defer major macOS updates, such as macOS 12 for a period of time. Link ---
Restriction Enforce a minor macOS software update delay Defer minor macOS updates, such as macOS 11.5 for a period of time. Link ---
Restriction Enforce a non-macOS software update delay Defer a non-macOS software update delay, such as a supplemental update to be installed. Link ---
Restriction Allow erase all content and settings Prevent users from using Erase All Content and Settings on their Mac. Link ---
Setup Assistant Skip unlock with Apple Watch This skips the screen related to unlocking the device with the Apple Watch. Link ---
Kernel Extensions Allow non admin user approvals Allow users who aren't local administrators to approve kernel extensions. Link ---

Commands

Module Command Description XML Support

| Restart | Notify user | If true, notifies the user to restart the device at their convenience. No forced restart occurs unless the device is at login window with no logged-in users. The user can dismiss the notification and ignore the request. No further notifications display unless you resend the command. This value is available in macOS 11.3 and later. | Link | --- | | Restart | Rebuild Kernel cache | If true, the system rebuilds the kernel cache during a device restart. This value is available in macOS 11 and later. | Link | --- | | Recovery Lock | Set Recovery Lock | Set the recoveryOS password. Available in macOS 12.0 and later. | Link | --- | | Recovery Lock | Verify Recovery Lock | Verify whether a recoveryOS password has been set. Available in macOS 12.0 and later. | Link | --- | | Device Information | Is Apple Silicon | Query whether the device is a Mac with Apple silicon. Available in macOS 12.0 and later. | Link | --- | | Device Information | Can install iOS apps | Install iPhone and iPad apps on a Mac with Apple Silicon from Apps and Books in Apple School Manager and Apple Business Manager. Available in macOS 11.3 and later. | Link | --- | | OS Updates | Max user deferrals | Specify the maximum number of deferrals, after which a forced update will occur. | Link | --- |

tvOS 15

The only change to tvOS 15 is that Apple TVs will no longer broadcast their MAC address.

Resources

WWDC 2021 Videos

VMware EUC Blog

check-circle-line exclamation-circle-line close-line
Scroll to top icon