Apple made several exciting announcements on June 5th, 2023, during their Worldwide Developers Conference (WWDC). They revealed the upcoming releases of iOS 17, iPadOS 17, tvOS 17, watchOS 10, and macOS 14 Sonoma. This document aims to provide clear information about the updates included in these releases and how they will affect Workspace ONE UEM.
The anticipated release timeline for these updates is similar to previous years.
The information provided below is from Apple’s WWDC information sessions. You can access these sessions at your convenience through Apple’s Developer Program website: https://developer.apple.com/wwdc23/. This website also provides details on how to test the upcoming releases. Please remember that the Beta releases are not currently supported. We are currently conducting tests and will inform you when support is available. This website also provides details on how to test the upcoming releases.
Workspace ONE does not officially support the enrollment of beta versions of new operating systems. While we encourage our customers to test out these new versions in lab configurations, and to ensure that their production environments will be compatible, expect various issues during the testing. VMware will work to ensure that these releases are fully supported by the time they are formally released.
Some of Apple’s most impressive enterprise updates surrounded Declarative Device Management. Apple announced three huge features for Declarative. As of this year’s major software releases, Declarative can now manage software updates, certificates, and applications.
Declarative Device Management now includes a new configuration that allows for software update enforcement. Unlike Apple’s previous ScheduleOSUpdate command, this new declarative configuration allows you to specify a date & time when the device is to perform an OS update. Not only can you enforce specific OS versions, but you can also enforce specific Rapid Security Responses with this functionality. Apple has also developed a new notification system to alert users to an upcoming enforced upgrade. Users will receive update notifications every day as they approach the enforce deadline, enticing them to upgrade beforehand. 24 hours before the deadline, this notification appears hourly and ignores Do Not Disturb. One hour before the deadline, the notification appears every 30 minutes, and then every 10 minutes. If a device is turned off and the deadline is missed, upon next restart the user will receive a notification that the upgrade is past due and that the update will be enforced within the next hour.
In addition to the new Software Update Enforcement configuration, Apple also provided four new software update related status items. MDM can now subscribe to Software Update Failure Reason, Install Reason, Install State, and Pending Install Version. Once subscribed to these new status items, managed devices will automatically send the MDM server these attributes any time they change. These new status items will provide near real time insights into the device state as it undergoes an OS upgrade.
Declarative Device Management now allows for defining certificates and identities as asset declarations, which can be referenced by multiple configurations. This eliminates the need for duplicating certificates or identities across multiple profiles and reduces the disruption caused by updating them. Certificates can use either the PEM or DER data formats, while identities can utilize the PKCS #12 format or be provisioned via ACME or SCEP protocols.
Two new configurations allow the installation of stand-alone certificates and identities. Both configurations reference a credential asset that provides the necessary certificate or identity data. The certificate configuration installs a single certificate into the keychain, and if it is a self-signed certificate authority, it will also be added to the trust store. The identity configuration installs a single identity into the keychain. These configurations are available on all platforms.
In a future update to iOS 17, iPadOS 17, and macOS 14 Sonoma, Declarative Device Management will provide a new configuration to manage applications. This configuration will allow administrators to deploy App Store apps, Custom Apps, and internal applications to managed iPhones, iPads, and Macs. This configuration will also include app configuration capabilities and per-app VPN, so apps can be deployed ready to go with the settings they need. Apple is also providing new native device management capabilities to configure on-demand app deployment as well as enabling automatic app updates.
Workspace ONE UEM support for Declarative Device Management is coming soon! In the meantime, the Workspace ONE UEM Product team is evaluating and prioritizing these new features for a future product release.
There were several updates for iOS 17, iPadOS 17, and macOS Sonoma specifically. They are detailed below.
iOS 17, iPadOS 17, and macOS 14 Sonoma support new functionality enforced via integration with Apple Business Manager and Apple School Manager to ensure devices are compliant before they are even allowed to enroll. Enforcement can be used to ensure that devices are on a specified minimum version of the OS, that devices are encrypted, or that they can only be enrolled through Automated Device Enrollment, instead of any other flows.
In the case of minimum OS version enforcement, if a device does not meet the minimum OS version threshold, the user is guided through a software update before they can continue through the Setup Assistant. This new feature can be used to ensure devices are up to date before receiving any corporate resources through device management.
iOS 17, iPadOS 17, and macOS Sonoma 14 include new built-in support for relays. Relays are an alternative to VPN that can be used to securely tunnel traffic to access internal resources. To configure a relay, Apple has provided a new managed relay profile payload that can be deployed via MDM to iPhones, iPads, and Mac devices. Using this payload allows for a secure HTTP/3 or HTTP/2 relay to proxy all TCP and UDP traffic. Advanced features like match and exclusion domains can also be applied to managed apps, specific domains, or the entire device. As relay functionality is integrated directly into the device operating system, there is no requirement for a third-party app to manage the secure connection.
Apple has added many new enhancements to Managed Apple IDs. Features like Continuity, iCloud Keychain, and Apple wallet now all function properly when iCloud is logged in with a Managed Apple ID. Within Apple Business Manager and Apple School Manager, new Access Management controls can be applied to granularly control what iCloud services are available to Managed Apple IDs. These controls can be configured to apply to any devices, only managed devices, or only managed and supervised devices. Apple has also given MDM new controls to determine if a device that is attempting to enroll belongs to the organization associated with the Managed Apple ID.
Apple Business Manager and Apple School Manager now support integration with custom identity providers (IdPs). Any third-party or in-house IdP can be integrated so long as they support a few core requirements. Additionally, Apple announced that Azure AD will support this new integration workflow using Open ID Connect in an update coming later this year.
iOS 17, iPadOS 17, and macOS 14 Sonoma now support a new enrollment method to enable full device management. Account-driven Device Enrollment provides a native enrollment experience through the Settings and System Settings applications, modeled after the current Account-driven User Enrollment experience. Management controls and configuration profiles are similar to the current Profile-based Device Enrollment. Account-driven Device Enrollment also supports cryptographically separated data organization, storing corporate data and personal data on different partitions. Like Account-driven User Enrollment, this new enrollment method also requires the use of Managed Apple IDs.
Important Notice: It is strongly advised to refrain from installing unsupported beta releases in production environments. We highly recommend adhering to your Workspace ONE guidelines regarding software updates.
iOS 17 and iPadOS 17 support a new feature called Return to Service, which will improve the process of resetting and reenrolling iPhones and iPads. With Return to Service, the device wipe command can now be configured with Wi-Fi details and MDM enrollment instructions to better automate device provisioning. It is now possible to erase all data from the device and have it automatically proceed to the Home Screen already enrolled with Wi-Fi turned on and connected. As a part of this process, previously selected language and region are applied.
iOS 17 and iPadOS 17 provide new management capabilities 5G and private cellular networks. 5G Network Slicing is now supported on all iPhone 14 models, as well as iPad Pro 11-inch (4th generation) and Pad Pro 12.9-inch (6th generation). 5G Network Slicing can be applied to managed applications through managed app config. This causes all app traffic to be routed through the slice identified by a specific Data Network Name (DNN). The DNN is provided by cellular carriers. iOS 17 and iPadOS 17 also support a new Private Cellular Network profile payload. This new payload can be used to configure 5G standalone, prioritizing cellular over Wi-Fi, and geofence activations. Additionally, iPhone and iPad now support the 802.1X Ethernet payload, previously only available to Macs.
iPadOS 17 supports new configuration options for Shared iPad. Apple has brought Await Configuration functionality to Shared iPad, which allows the MDM server to fully provision the device before the user is allowed to progress to through the Setup Assistant and to the Home Screen. Shared iPad can now also be configured to skip Language and Locate settings for new users. Additionally, temporary sessions now honor the Quota Size configuration.
Apple announced several macOS management update.They are detailed below.
Apple has announced the availability of new macOS devices:
These devices are all supported in Workspace ONE UEM today.
With macOS 14 Sonoma, Platform SSO now supports the ability to dynamically create local user accounts. It also adds the ability to define whether those created local accounts should have standard or administrator access permissions, or if the defined level of access should depend on membership into a directory group. Additionally, Smartcards are now supported as an authentication mechanism with Platform SSO. Once logged in, new System Settings exist that allow the user to view the status of Platform SSO, repair their registration, or reauthenticate.
Managed Device Attestation and hardware-bound ACME (or Automated Certificate Management Environment) are two feature sets that are centered around ensuring that the physical device is what it says it is and has not been tampered with since initial enrollment. Managed Device Attestation was previously supported for iOS 16 and iPadOS 16 and has now expanded to macOS 14. While the ACME protocol was supported on macOS 13, macOS 14 introduces the capability to directly tie the private key to the Secure Enclave of the physical device.
macOS 14 Sonoma introduces several new configuration keys. A brief outline of some notable capabilities is included here:
|Several keys focused on controlling access to various System Settings.|
|Restrictions||allowCloudFreeform||Enable/disable iCloud Freeform services.|
|SSO Extension||PlatformSSO||A dictionary that defines numerous settings to control overall Platform SSO behavior.|
|Disk Encryption||ForceEnableInSetupAssistant||Forces the device to enable FileVault at initial setup time.|
|Passcode||customRegex||A dictionary that allows administrator to define a regular expression used to enforce password compliance.|
Apple announced Apple Vision Pro and the supported visionOS designed for Apple Vison Pro. They are detailed below.
Apple announced a groundbreaking “spatial computing” device that combines advanced technology with innovative software capabilities. This wearable device allows users to overlay digital content onto the real world, enhancing their perception and interaction with their surroundings. Apple demonstrated several enterprise use cases including immersive workspaces, design visualization and remote collaboration. Apple Vision Pro product launch is planned for early 2024.
visionOS is the operating system specifically designed to power the Apple Vision Pro. It serves as the foundation that drives the device’s capabilities and seamless functionality. visionOS provides device authentication using Optic ID, input using eye tracking, gesture and voice and a simple user interface to access a variety of 2D, 3D and immersive applications. visionOS supports existing iOS and iPadOS applications.
Some key points for organizations considering the Apple Vision Pro:
Workspace ONE UEM supports a variety of augmented and virtual reality devices today. VMware also strives to provide day zero support for new Apple hardware that supports MDM protocols. VMware is working closely with Apple to understand how we might support the Vision Pro device at launch. We are evaluating support for our existing iOS applications as well as Workspace ONE XR Hub on this device.
With watchOS 10 and iOS 17, Apple Watches can enroll into device management. To enroll an Apple Watch, it must be paired to a supervised iPhone that already has the new Watch Enrollment declarative configuration installed. After pairing with an iPhone is completed, the Apple Watch will automatically be enrolled into device management. If the Apple Watch is already paired to a supervised iPhone prior to the iPhone receiving the Watch Enrollment declarative configuration, the Apple Watch must be removed and paired back to the iPhone again.
Device management with Apple Watch is similar to device management with iPhone. watchOS 10 supports profile and app management, as well as query commands to collect device attributes. watchOS 10 also supports Declarative Device Management, with all declaration types and the status channel now supported by the platform. Not every profile and command is supported by watchOS, but it does support functionalities like Restrictions, Wi-Fi, and Passcode profiles, app management with per-app VPN, as well as certificate management for authentication and identity.
The Workspace ONE Product team is excited about device management with Apple Watch. We are currently evaluating and prioritizing watchOS support for a future product release.
With tvOS 17, Apple TVs now support VPN configurations. This includes support for the built-in IKEv2 client and the Network Extension framework for tvOS app developers. tvOS 17 also supports the 802.1X Ethernet payload.
Known issues with the Apple beta releases are detailed below.