Getting Ready for Apple Major OS Releases 2022
On June 6th, 2022 Apple announced at their World Wide Developers Conference (WWDC) the upcoming releases of iOS 16, iPadOS 16, tvOS 16, and macOS Ventura (13.0). This document will provide guidance on all the upcoming Apple updates and any impacts this may have on Workspace ONE.
The anticipated release timeline for these updates is similar to previous years. We anticipate a mid to late September release for iOS 16, iPadOS 16, and tvOS 16, with macOS Ventura releasing shortly after in late September or early October.
The following information is derived from Apple’s WWDC information sessions. These sessions are available on-demand through Apple’s Developer Program at https://developer.apple.com. This site also contains information on how test the upcoming releases.
Identity and security
Integration with Google Workspace
Managed Apple ID now supports integration with Google Workspace. This integration is provides Apple Business Manager and Apple School Manager directory sync and federated authentication with Google Workspaces.
Directory sync allows automatic creation of Managed Apple IDs within Apple Business Manager & Apple School Manager. Any additions, deletions, or changes to user records in Google Workspaces are also synced automatically. Federated authentication allows users to sign in their Managed Apple IDs using their Google Workspace account.
To use federated authentication with Google Workspace, Apple devices must meet the following operating system requirements:
- iOS 15.5 or later
- iPadOS 15.5 or later
- macOS 12.4 or later
Sign in with Apple at Work & School
Sign in with Apple at Work & School adds support for Managed Apple IDs to Sign in with Apple.
Employees, teachers, and students can sign in with their Managed Apple IDs to access apps and websites that support Sign in with Apple. Administrators, Site Managers (Apple School Manager only), and People Managers can control which apps can use with Sign in with Apple.
To use Sign in with Apple at Work & School, Apple devices must meet the following operating system requirements:
- iOS 16 or later
- iPadOS 16 or later
- macOS 13 or later
Sign in with Apple at School also provides a new API which allows third party education apps to sync user and class data from Apple School Manager. This allows third-party apps and services automatic retrieval of student and class records.
Rapid Security Response
iOS 16, iPadOS 16, and macOS 13 introduce Rapid Security Response, a new mechanism to ship security fixes to users more frequently. Rapid Security Responses don’t adhere to the managed software update delay. However, Rapid Security Responses only apply to the latest minor operating system version. If a minor operating system update is delayed, the associated response is also delayed.
Apple has provided two new restriction keys to control Rapid Security Reponses; the ability to disable responses and the ability to prevent users from undoing responses. The Workspace ONE Product team is evaluating these features for a future product release.
iOS 16, iPadOS 16, and tvOS 16
Managed Device Attestation
Managed Device Attestation reimagines how we certify device identity for iPhone, iPad, and tvOS. Managed Device Attestation uses the Secure Enclave and cryptographic attestations to provide strong assurances about a managed device properties.
An attestation is a declaration of a fact that is cryptographically signed. If you trust who signed the attestation, then you accept the fact to be true. These attestations can then be used to help prevent attackers from stealing a device’s TLS private keys, spoofing legitimate devices, and lying about device properties.
With Managed Device Attestation, device management solutions can now query a managed device to collect attestation certificates for specific device properties, such as serial number, UDID, and OS version. These certificates are generated by Apple’s Device Attestation Service and delivered to the managed device upon query. Attestations can also be used with a new certificate profile for the Automatic Certificate Manage Environment (ACME) protocol. With Managed Device Attestation and ACME certificates, it is now possible to generate highly secure hardware-bound certificates that devices can used to secure communications when connecting to services. The Workspace ONE Product team is evaluating this feature for a future product release.
To use Managed Device Attestation, Apple devices must meet the following operating system requirements:
- iOS 16 or later
- iPadOS 16 or later
- tvOS 16 or later
User Enrollment SSO for iOS and iPadOS
Enrollment SSO is designed to make the User Enrollment flow faster and easier by reducing the number of sign-ins required during enrollment into MDM. This is accomplished by installing an identity app, then using it to handle repeated authentication during—and after—the enrollment process.
Enrollment SSO works with any SSO technology, including OAuth 2.0. To use Enrollment SSO, an IdP creates an app with an Extensible SSO extension and obtains the relevant entitlement, then publishes the app in the App Store as either a public or unlisted app. During the enrollment flow in Settings, the user can then download and use this app to sign in. After a user signs in and is enrolled in MDM, the app remains installed as a managed app to facilitate additional authentications.
The Workspace ONE Product team is evaluating this feature for a future product release.
OAuth 2.0 support
iOS 16 and iPadOS 16 support OAuth 2.0 for User Enrollment. Historically, User Enrollment authentication leveraged a bearer token when authentication users to MDM solutions.
OAuth 2.0 supports both a frequently rotated authentication token and an infrequently used refresh token. The authentication token can be rotated in the background without disrupting the user, which allows for frequent rotation and enhanced security.
The Workspace ONE Product team is evaluating OAuth 2.0 support for a future product release.
Managed per-app networking
iOS 16 and iPadOS 16 support DNS proxy and web content filtering for managed applications on a per-app basis. This allows network traffic initiated by managed apps to pass through a DNS proxy, a web content filter, or both. Historically, this functionality was only available through the use of per-app VPN.
DNS proxy and web content filtering for managed apps has been added to the existing Managed App Settings framework. The Workspace ONE Product team is evaluating these features for a future product release.
Profiles
Profile enhancements coming with iOS 16, iPadOS 16, and tvOS 16
| Payload | Key | Description | XML |
|---|---|---|---|
| DNS Proxy | DNSProxyUUID |
DNS Proxy settings to be referenced on a per-app basis. | Link |
| Web Content Filter | ContentFilterUUID |
Web Content Filter settings to be referenced on a per-app basis. | Link |
| Cellular | EnableXLAT464 |
Enable XLAT464 on cellular devices. | Link |
| Restrictions | allowRapidSecurityResponseInstallation |
Allow Rapid Security Response installation. | Link |
| Restrictions | allowRapidSecurityResponseRemoval |
Allow Rapid Security Response removal by user. | Link |
| ACME Certificate | New payload for configuring Automated Certificate Management Environment (ACME) Certificate settings. | Link |
Commands
Command enhancements coming with iOS 16, iPadOS 16, and tvOS 16
| Module | Command | Description | XML |
|---|---|---|---|
| Managed Settings | AccessibilitySettings |
Configure Accessibility settings on the device such as bold text, increased contrast, reduced motion, reduced transparency, text size, touch accommodations, voiceover, and zoom. | Link |
| App List Sample | IsAppClip |
Indicates if a particular app reported in the returned sample is an App Clip. | N/A |
| Application Settings | ContentFilterUUID |
Configure a managed application to use the specified Content Filter settings. | N/A |
| Application Settings | DNSProxyUUID |
Configure a managed application to use the specified DNS Proxy settings. | N/A |
| Shared iPad Settings | ManagedAppleIDDefaultDomains |
A list of domains that display on Shared iPad login screen. | Link |
| Shared iPad Settings | OnlineAuthenticationGracePeriod |
A grace period (in days) for Shared iPad online authentication. The Shared iPad only verifies the user’s passcode locally during login for users that already exist on the device. However, the system requires an online authentication (against Apple’s identity server) after the number of days specified by this setting. | Link |
macOS Ventura 13.0
Platform Single sign-on
macOS Ventura supports Platform Single sign-on (SSO). Platform SSO allows for the local password to automatically remain in sync with their cloud IdP password, and allows for the IdP password to be used when unlocking the device. This feature also extends the SSO Extension, including the built-in Kerberos extension, to the macOS login window.
Apple has provided new configuration keys to control Platform SSO. The Workspace ONE Product team is evaluating this feature for a future product release.
Managed software updates
macOS Ventura includes new device management features to enhance software update management tasks
- The
ScheduleOSUpdatecommand includes a new Priority key can be specified to indicate “High” or “Low” priority updates. The devices will respect these priorities when handling multiple OS updates at once. Note that this key is only supported for minor OS updates. - The
OSUpdateStatuscommand includes new information regarding the amount of user deferrals remaining, the total amount of allowed deferrals, the next scheduled install attempt, as well as the exact dates & times of past install notifications. This feature is supported as of macOS 12.3. - Devices will now respond to
ScheduleOSUpdate,OSUpdateStatus, andAvailableOSUpdatecommands even when asleep or in PowerNap mode.
The Workspace ONE Product team is evaluating these features for a future product release.
Thunderbolt & USB security
macOS Ventura supports new security measures for Apple silicon devices. By default, users are now required to allow new Thunderbolt or USB accessories when connecting them to their device. This setting can be customized in System Preferences and can also be managed through a new restriction key. The Workspace ONE Product team is evaluating this feature for a future product release.
Deprecation of System Preferences MDM payload
In macOS Ventura, the System Preferences MDM Payload will be deprecated and no longer supported. This update coincides with a design revamp of the System Preferences organization in macOS Ventura. If you are currently deploying this payload on existing macOS devices, make sure to test and validate how macOS Ventura interacts with your current MDM profile payload configuration.
Login Item Management
macOS Ventura introduces a new setting for users to manage which applications and processes are able to launch at login and run in the background. When installing an application that requires this functionality, a notification is present for the user to approve or deny. After installation, the user can enable/disable this setting on a per-app basis.
Apple has also introduced a new MDM profile payload that manages these login item settings. When you begin allowing macOS Ventura devices in your production environment, VMware recommends deploying the linked sample to all Ventura devices to eliminate the possibility of the Workspace ONE Intelligent Hub being denied background access, which could severely impact device functionality. This payload will be deployed by default in a future version of Workspace ONE UEM.
Profiles
Profile enhancements coming with macOS Ventura
| Payload | Key | Description | XML |
|---|---|---|---|
| Login Item Management | Rules |
Prevent users from disabling managed Login and Background Items in System Settings. | Link |
| Restrictions | allowUniversalControl |
If false, disables Universal Control. | Link |
| Restrictions | allowUIConfigurationProfileInstallation |
If false, prohibits the user from installing configuration profiles and certificates interactively. Requires a supervised device. | Link |
| Restrictions | allowUSBRestrictedMode |
If false, allows the device to always connect to USB accessories while locked. On macOS, allows new USB accessories to connect without authorization. | Link |
| Restrictions | allowRapidSecurityResponseInstallation |
Allow Rapid Security Response installation. | Link |
| Restrictions | allowRapidSecurityResponseRemoval |
Allow Rapid Security Response removal by user. | Link |
| SSO Extension | AuthenticationMethod |
The Platform SSO authentication method the extension uses. Requires that the SSO Extension also supports the method. | |
| SSO Extension | RegistrationToken |
The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. Requires that AuthenticationMethod isn’t empty. | |
| SSO Extension | allowPlatformSSOAuthFallback |
If true and usePlatformSSOTGT is true, allows the user to manually sign in. | |
| SSO Extension | performKerberosOnly |
If true, the Kerberos Extension handles Kerberos requests only. It doesn’t check for password expiration, show the password expiration in the menu, check for external password changes, perform password sync, or retrieve the home directory. | |
| SSO Extension | usePlatformSSOTGT |
If true, requires this configuration uses a TGT from Platform SSO instead of requesting a new one. |
Commands
Command enhancements coming with macOS Ventura.
| Module | Command | Description |
|---|---|---|
| Managed Settings | AccessibilitySettings |
Configure Accessibility settings on the device such as bold text, increased contrast, reduced motion, reduced transparency, text size, touch accommodations, voiceover, and zoom. |
Known Issues
| Description | Fix Version |
|---|---|
| macOS 13 Ventura (beta5) - Receive “app is damaged and can’t be opened” error for web apps in Intelligent Hub | Hub 22.08.1 |
Declarative Device Management
Apple announced Declarative Device Management at WWDC 2021. Declarative Device Management provides a new way to deploy and manage Apple devices. With iOS 16, iPadOS 16, tvOS 16, and macOS Ventura, Declarative Device Management is now supported across all platforms and enrollment types. Previously, Declarative Device Management was only available for User Enrollment.
| Automated Device Enrollments | Profile-based Device Enrollments | User Enrollments | Shared iPad |
|---|---|---|---|
| iOS 16 | iOS 16 | iOS 15 or later | N/A |
| iPadOS 16 | iPadOS 16 | iPadOS 15 or later | iPadOS 16 |
| macOS 13 | macOS 13 | macOS 13 | N/A |
| tvOS 16 | tvOS 16 | N/A | N/A |
For more information on Declarative Device Management, please see Getting Ready for Apple Fall 2021 Releases.
New status reports
Status reporting allows a device to share information about its current state and if there are any changes, these can be reported to the server proactively without having to poll the device for updates. In addition to device properties, status is now reported for passcode presence and compliance, accounts, and MDM app installation progress and information.
Enhanced predicates
Activations are a set of configurations, and can include an optional predicate that determines whether the configurations referenced in the activation will be applied to the device. Activations can now use an extended predicate syntax— including status items—to support more complex predicate expressions. In addition, a new management properties declaration allows servers to set arbitrary properties on the device, which can be directly used in activation predicates.
Workspace ONE Productivity App Support
VMware is currently testing our productivity apps with the new versions of iOS, iPadOS, and macOS. Please refer to the table below for productivity app version compatibility with the latest Apple releases. This table will be updated as our testing progresses.
| App Name | iOS 16 Supported Version | iPadOS 16 Supported Version | macOS Ventura Supported Version |
|---|---|---|---|
| Intelligent Hub | 22.08 | 22.08 | 22.08.1 |
| Boxer | 22.09 | 22.08 | — |
| Content | 22.08.1 | 22.09 | — |
| Web | 22.08 | 22.08 | — |
| Tunnel | 22.01.1 | 22.01.1 | 22.04.1 |
| Assist | 22.07 | — | 22.10 |
| Cards | 22.03 | 22.03 | — |
| Notebook | 22.03 | 22.03 | — |
| PIV-D Manager | 22.07.1 | 22.07.1 | — |
| Intelligence SDK | 6.1.2 | 6.1.2 | — |
| SDK (Swift) | 22.05 | 22.05 | — |
| SDK – Xamarin | 22.05 | 22.05 | — |
| SDK – Cordova Plug-in | 22.05 | 22.05 | — |
| Send | 21.04.1 | 21.04.1 | — |
Known Issues
Any known issues impacting iOS 16, iPadOS 16, tvOS 16, and macOS Ventura will be listed below. Follow the link to the VMware Knowledge Base for detailed issue description, inlcuding resolution steps and/or work-arounds.
Resources
WWDC 2022 videos
