Last week's Worldwide Developers Conference keynote was loaded with news about iOS 13, watchOS 6, macOS Catalina, the newly christened iPadOS and the new Mac Pro (which returns to a tower enclosure with serious upgrade and customization options).
Tucked away at the end of the conference late in the week was a 59-minute session: “What’s new in managing Apple devices” (it's now available via streaming from Apple’s developer site). The presentation, combined with related sessions and documentation, offered major news that most enterprise IT pros will cheer:
- Apple has created a new managed-user profile for BYOD devices.
- The company has created a single sign-on extension for iOS and macOS that simplifies authentication and secure access to enterprise systems, clouds and apps.
- Apple Business Manager (and Apple School Manager for K-12 education) will become the sole solution for purchasing/managing enterprise apps.
- The company, after two years of warning, showed it's finally moving device management to Supervised devices only. (Devices that are already deployed won't see a change in management profiles until they are restored.)
- Apple has revamped documentation for its mobile device management (MDM) platform to make it easier to find information, separating it from much of the developer-specific content.
That’s a pretty hefty list, though the first two items are the most significant.
A new take on BYOD
One challenge to getting employees to sign on to BYOD programs has always been concern about the level of control IT will have over a worker's devices. There are also ongoing questions about what information IT can query about the device and its use.
To date, this has been a reasonable concern because iOS policies have been set on the device as a whole. So IT does have control over much of the hardware and its capabilities and can issue commands that affect the entire device – like clearing the current passcode. IT can also request many details about an iPhone or iPad, its use, and configuration. (This allows admins, for instance, to see all of the apps that have been installed, including personal, non-managed apps.)
With iOS 13, the company is offering a new user enrollment option in addition to the existing enrollment setup. The new process is designed to be initiated by the user, contains information about the enrollment that can be customized, and requires that the user authenticate with enterprise credentials (more on that in a bit).
When enrolling using this method, a separate APFS volume is created on the device that stores enterprise content and is cryptographically separate and secure. All managed apps and accounts store data to that volume, which can be wiped with no worries about personal data. (Just deleting the encryption keys effectively wipes the volume of protected corporate data.)
That’s not the only trick up iOS 13’s sleeve. User enrollment also means that most device commands (like clearing the passcode) are not available, and the information that can be queried is much more need-to-know. And most configuration data is not shared, including info about apps that aren't managed enterprise apps.
All of these changes build on Apple's reputation for privacy and should help ease employee concerns about personal devices and HR policies govering their use.
Three tiers of management
As a result of the companing changes, there are now three ways to enroll and manage iOS devices based on ownership and use:
- Supervised devices that need to be locked down. This predominantly involves kiosk devices, hardware that's checked out each day and devices that are shared. Supervised devices must be organization-owned and placed into supervision by either Apple Configurator 2 (a Mac app) or using Apple’s over-the-air Device Enrollment Program.
- Devices managed using device enrollment. This middle ground is more fitting for organization-owned hardware that's assigned to a single user for both personal as well as business uses.
- User enrollment. This provides the most transparency and the lightest management touch. It is specially intended for BYOD devices and the protection of both business content as well as user privacy.
Authentication, federation and managed Apple IDs
The next big announcement for enterprises involves single sign-on authentication. This makes accessing enterprise resources much easier and pairs with Touch ID and Face ID. It also pairs with managed Apple IDs for business.
An important point: Apple made very clear this is not related to the consumer-focused Sign In with Apple feature. That system is designed to make access to online public/consumer content easier, while adding privacy controls that current social media sign-in options don't have.
The two options are separate initiatives and it does not seem likely that Apple plans to merge them. In fact, the use of Sign In with Apple in business would effectively mix personal and business access in a way that presents privacy and separation issues similar to those Apple is seeking to remove with user enrollment.
The single sign-on extension in iOS 13 and macOS Catalina works with an enterprise identity management or directory system. When developers implement the requisite APIs, apps offer single sign-on. This functionality works across cloud and other network services.
Managed Apple ID (which was previously available only in education) is central to how user enrollment works. When a user begins the enrollment process, he or she enters a managed Apple ID. That ID and profile is used for access to the volume on the device holding business data as well as to a business-specific iCloud account that can be used in the Files app.
This managed Apple ID will typically look like other corporate credentials because managed Apple IDs can be created using an existing directory system (including federated cloud services like Azure Active Directory).
Altogether, these are major improvements for enterprise customers. They address the need for security and access in a mobile- and cloud-first world and effectively move the goalposts forward, while addressing existing corporate needs. They also reinforce that Apple is serious about privacy and is willing to put in the work to serve enterprise customers.