Getting Ready for Apple Fall 2022 Releases

On June 6th, 2022 Apple announced at their World Wide Developers Conference (WWDC) the upcoming releases of iOS 16, iPadOS 16, tvOS 16, and macOS Ventura (13.0). This document will provide guidance on all the upcoming Apple updates and any impacts this may have on Workspace ONE.

The anticipated release timeline for these updates is similar to previous years. We anticipate a mid to late September release for iOS 16, iPadOS 16, and tvOS 16, with macOS Ventura releasing shortly after in late September or early October.

The following information is derived from Apple’s WWDC information sessions. These sessions are available on-demand through Apple’s Developer Program at developer.apple.com. This site also contains information on how test the upcoming releases.

Identity and security

Integration with Google Workspace

Managed Apple ID now supports integration with Google Workspace. This integration is provides Apple Business Manager and Apple School Manager directory sync and federated authentication with Google Workspaces.

Directory sync allows automatic creation of Managed Apple IDs within Apple Business Manager & Apple School Manager. Any additions, deletions, or changes to user records in Google Workspaces are also synced automatically. Federated authentication allows users to sign in their Managed Apple IDs using their Google Workspace account.

To use federated authentication with Google Workspace, Apple devices must meet the following operating system requirements:

  • iOS 15.5 or later
  • iPadOS 15.5 or later
  • macOS 12.4 or later

Sign in with Apple at Work & School

Sign in with Apple at Work & School adds support for Managed Apple IDs to Sign in with Apple.

Employees, teachers, and students can sign in with their Managed Apple IDs to access apps and websites that support Sign in with Apple. Administrators, Site Managers (Apple School Manager only), and People Managers can control which apps can use with Sign in with Apple.

To use Sign in with Apple at Work & School, Apple devices must meet the following operating system requirements:

  • iOS 16 or later
  • iPadOS 16 or later
  • macOS 13 or later

Sign in with Apple at School also provides a new API which allows third party education apps to sync user and class data from Apple School Manager. This allows third-party apps and services automatic retrieval of student and class records.

Rapid Security Response

iOS 16, iPadOS 16, and macOS 13 introduce Rapid Security Response, a new mechanism to ship security fixes to users more frequently. Rapid Security Responses don’t adhere to the managed software update delay. However, Rapid Security Responses only apply to the latest minor operating system version. If a minor operating system update is delayed, the associated response is also delayed.

Apple has provided two new restriction keys to control Rapid Security Reponses; the ability to disable responses and the ability to prevent users from undoing responses. The Workspace ONE Product team is evaluating these features for a future product release.

iOS 16, iPadOS 16, and tvOS 16

Managed Device Attestation

Managed Device Attestation reimagines how we certify device identity for iPhone, iPad, and tvOS. Managed Device Attestation uses the Secure Enclave and cryptographic attestations to provide strong assurances about a managed device properties.

An attestation is a declaration of a fact that is cryptographically signed. If you trust who signed the attestation, then you accept the fact to be true. These attestations can then be used to help prevent attackers from stealing a device’s TLS private keys, spoofing legitimate devices, and lying about device properties.

With Managed Device Attestation, device management solutions can now query a managed device to collect attestation certificates for specific device properties, such as serial number, UDID, and OS version. These certificates are generated by Apple’s Device Attestation Service and delivered to the managed device upon query. Attestations can also be used with a new certificate profile for the Automatic Certificate Manage Environment (ACME) protocol. With Managed Device Attestation and ACME certificates, it is now possible to generate highly secure hardware-bound certificates that devices can used to secure communications when connecting to services. The Workspace ONE Product team is evaluating this feature for a future product release.

To use Managed Device Attestation, Apple devices must meet the following operating system requirements:

  • iOS 16 or later
  • iPadOS 16 or later
  • tvOS 16 or later

User Enrollment SSO for iOS and iPadOS

Enrollment SSO is designed to make the User Enrollment flow faster and easier by reducing the number of sign-ins required during enrollment into MDM. This is accomplished by installing an identity app, then using it to handle repeated authentication during—and after—the enrollment process.

Enrollment SSO works with any SSO technology, including OAuth 2.0. To use Enrollment SSO, an IdP creates an app with an Extensible SSO extension and obtains the relevant entitlement, then publishes the app in the App Store as either a public or unlisted app. During the enrollment flow in Settings, the user can then download and use this app to sign in. After a user signs in and is enrolled in MDM, the app remains installed as a managed app to facilitate additional authentications.

The Workspace ONE Product team is evaluating this feature for a future product release.

OAuth 2.0 support

iOS 16 and iPadOS 16 support OAuth 2.0 for User Enrollment. Historically, User Enrollment authentication leveraged a bearer token when authentication users to MDM solutions.

OAuth 2.0 supports both a frequently rotated authentication token and an infrequently used refresh token. The authentication token can be rotated in the background without disrupting the user, which allows for frequent rotation and enhanced security.

The Workspace ONE Product team is evaluating OAuth 2.0 support for a future product release.

Managed per-app networking

iOS 16 and iPadOS 16 support DNS proxy and web content filtering for managed applications on a per-app basis. This allows network traffic initiated by managed apps to pass through a DNS proxy, a web content filter, or both. Historically, this functionality was only available through the use of per-app VPN.

DNS proxy and web content filtering for managed apps has been added to the existing Managed App Settings framework. The Workspace ONE Product team is evaluating these features for a future product release.

Profiles

Profile enhancements coming with iOS 16, iPadOS 16, and tvOS 16

Payload Key Description XML
DNS Proxy DNSProxyUUID DNS Proxy settings to be referenced on a per-app basis. Coming soon!
Web Content Filter ContentFilterUUID Web Content Filter settings to be referenced on a per-app basis. Coming soon!
Cellular EnableXLAT464 Enable XLAT464 on cellular devices. Coming soon!
Restrictions allowRapidSecurityResponseInstallation Allow Rapid Security Response installation. Coming soon!
Restrictions allowRapidSecurityResponseRemoval Allow Rapid Security Response removal by user. Coming soon!
ACME Certificate New payload for configuring Automated Certificate Management Environment (ACME) Certificate settings. Coming soon!

Commands

Command enhancements coming with iOS 16, iPadOS 16, and tvOS 16

Module Command Description XML
Managed Settings AccessibilitySettings Configure Accessibility settings on the device such as bold text, increased contrast, reduced motion, reduced transparency, text size, touch accommodations, voiceover, and zoom. Coming soon!
App List Sample IsAppClip Indicates if a particular app reported in the returned sample is an App Clip. Coming soon!
Application Settings ContentFilterUUID Configure a managed application to use the specified Content Filter settings. Coming soon!
Application Settings DNSProxyUUID Configure a managed application to use the specified DNS Proxy settings. Coming soon!
Shared iPad Settings ManagedAppleIDDefaultDomains A list of domains that display on Shared iPad login screen. Coming soon!
Shared iPad Settings OnlineAuthenticationGracePeriod A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user’s passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple’s identity server) after the number of days specified by this setting. Coming soon!

macOS Ventura 13.0

Platform Single sign-on

macOS Ventura supports Platform Single sign-on (SSO). Platform SSO allows for the local password to automatically remain in sync with their cloud IdP password, and allows for the IdP password to be used when unlocking the device. This feature also extends the SSO Extension, including the built-in Kerberos extension, to the macOS login window.

Apple has provided new configuration keys to control Platform SSO. The Workspace ONE Product team is evaluating this feature for a future product release.

Managed software updates

macOS Ventura includes new device management features to enhance software update management tasks

  • The ScheduleOSUpdate command includes a new Priority key can be specified to indicate “High” or “Low” priority updates. The devices will respect these priorities when handling multiple OS updates at once. Note that this key is only supported for minor OS updates.
  • The OSUpdateStatus command includes new information regarding the amount of user deferrals remaining, the total amount of allowed deferrals, the next scheduled install attempt, as well as the exact dates & times of past install notifications. This feature is supported as of macOS 12.3.
  • Devices will now respond to ScheduleOSUpdate, OSUpdateStatus, and AvailableOSUpdate commands even when asleep or in PowerNap mode.

The Workspace ONE Product team is evaluating these features for a future product release.

Thunderbolt & USB security

macOS Ventura supports new security measures for Apple silicon devices. By default, users are now required to allow new Thunderbolt or USB accessories when connecting them to their device. This setting can be customized in System Preferences and can also be managed through a new restriction key. The Workspace ONE Product team is evaluating this feature for a future product release.

Profiles

Profile enhancements coming with macOS Ventura

Payload Key Description XML
SSO Extension AuthenticationMethod The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. Coming soon!
SSO Extension RegistrationToken The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that AuthenticationMethod isn’t empty. Coming soon!
SSO Extension allowPlatformSSOAuthFallback If true and usePlatformSSOTGT is true, allows the user to manually sign in. Coming soon!
SSO Extension performKerberosOnly If true, the Kerberos Extension handles Kerberos requests only. It doesn’t check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. Coming soon!
SSO Extension usePlatformSSOTGT If true, requires this configuration uses a TGT from Platform SSO instead of requesting a new one. Coming soon!
Restrictions allowUniversalControl If false, disables Universal Control. Coming soon!
Restrictions allowUIConfigurationProfileInstallation If false, prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. Coming soon!
Restrictions allowUSBRestrictedMode If false, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. Coming soon!
Restrictions allowRapidSecurityResponseInstallation Allow Rapid Security Response installation. Coming soon!
Restrictions allowRapidSecurityResponseRemoval Allow Rapid Security Response removal by user. Coming soon!

Commands

Command enhancements coming with macOS Ventura.

Module Command Description XML
Managed Settings AccessibilitySettings Configure Accessibility settings on the device such as bold text, increased contrast, reduced motion, reduced transparency, text size, touch accommodations, voiceover, and zoom. Coming soon!

Declarative Device Management

Apple announced Declarative Device Management at WWDC 2021. Declarative Device Management provides a new way to deploy and manage Apple devices. With iOS 16, iPadOS 16, tvOS 16, and macOS Ventura, Declarative Device Management is now supported across all platforms and enrollment types. Previously, Declarative Device Management was only available for User Enrollment.

Automated Device Enrollments Profile-based Device Enrollments User Enrollments Shared iPad
iOS 16 iOS 16 iOS 15 or later N/A
iPadOS 16 iPadOS 16 iPadOS 15 or later iPadOS 16
macOS 13 macOS 13 macOS 13 N/A
tvOS 16 tvOS 16 N/A N/A

For more information on Declarative Device Management, please see Getting Ready for Apple Fall 2021 Releases.

New status reports

Status reporting allows a device to share information about its current state and if there are any changes, these can be reported to the server proactively without having to poll the device for updates. In addition to device properties, status is now reported for passcode presence and compliance, accounts, and MDM app installation progress and information.

Enhanced predicates

Activations are a set of configurations, and can include an optional predicate that determines whether the configurations referenced in the activation will be applied to the device. Activations can now use an extended predicate syntax— including status items—to support more complex predicate expressions. In addition, a new management properties declaration allows servers to set arbitrary properties on the device, which can be directly used in activation predicates.

Workspace ONE Productivity App Support

VMware is currently testing our productivity apps with the new versions of iOS, iPadOS, and macOS. Please refer to the table below for productivity app version compatibility with the latest Apple releases. This table will be updated as our testing progresses.

App Name iOS 16 Supported Version iPadOS 16 Supported Version macOS Ventura Supported Version
Intelligent Hub TBD TBD TBD
Boxer TBD TBD
Content TBD TBD
Web TBD TBD
Tunnel TBD TBD TBD
Assist TBD
Cards TBD TBD
Notebook TBD TBD
PIV-D Manager TBD TBD
Intelligence SDK TBD TBD
SDK (Swift) TBD TBD
SDK – Xamarin TBD TBD
SDK – Cordova Plug-in TBD TBD
Send TBD TBD

Known Issues

Any known issues impacting iOS 16, iPadOS 16, tvOS 16, and macOS Ventura will be listed below. Follow the link to the VMware Knowledge Base for detailed issue description, inlcuding resolution steps and/or work-arounds.

Resources

WWDC 2022 videos

check-circle-line exclamation-circle-line close-line
Scroll to top icon