Since Apple’s Worldwide Developer Conference just ended, it’s time to look at the announcements to see how they’ll affect the EMM space. I’ll concentrate on mobile device management features in iOS 11, but first I want to go over some of the general announcements. As EUC and mobile folks, we need to be prepared—come mid-September, all these new features are coming to our environments no matter what.
General WWDC news the enterprise should know
You’ve probably heard about some of these already, but if you haven’t, Steven Sinofsky wrote an excellent overview.
iOS 11 is going to have support for augmented reality apps and on-device machine learning, including APIs for computer vision and natural language processing. We can expect that some business-oriented apps will take advantage of these, too. Unless you’re building your own apps (which is a topic for other articles), there are no specific action items here, other than to appreciate just how wide the possibilities are.
iOS 11 and the new iPad Pro mean that the “Can an iPad be a laptop replacement?” argument gets new talking points, in the form of the new Files app, drag and drop capabilities, the expanded Dock, the ability to float apps over other apps, and other multitasking improvements. Personally, these changes are pushing me to finally take the plunge and see for myself. Overall, the good news is that if your company can already manage and secure iOS, then the new iPad Pro with iOS 11 will be no problem.
Other features that will no doubt show up in the enterprise include NFC support, password autofill for apps, “tap to join meetings” (I haven’t seen what this will look like yet, but I’ll take it), and DeviceCheck, a type of device fingerprinting implemented in the typical Apple way.
New mobile device management features
Now on to the mobile device management features. Apple’s MDM session ran last Thursday afternoon, and Apple has now posted the video, slides, and links to relevant documentation.
Many of the features covered actually came out with iOS 10.3, in March. Here are the most significant ones:
- Apple TV now has full MDM and Device Enrollment Program support. This means you can do no-touch setup just by connecting power and ethernet; you can push and configure enterprise apps; and you can lock it down into single app mode or conference room mode, and restrict AirPlay and remote app pairing.
- If you manually install a configuration profile with a certificate, iOS 10.3 and later won’t trust it for SSL unless the user goes in and manually approves it. There’s an exception for MDM enrollment profiles, but the idea is that this will help cut down on malicious profiles installed through social engineering.
- MDM can restrict supervised-mode devices to only whitelisted WiFi networks, i.e. networks set up via configuration profiles. This got a spontaneous round of applause in the live video.
- The Classroom App, which allows teachers to use an iPad to control student iPads, can now be used in an ad hoc BYOD mode. Formerly, it required the teacher and student devices to all be enrolled in Apple School Manager, which itself rides on top of 3rd-party MDM servers. (Here’s an excellent overview.)
- Apple School Manager (ASM) has a new UI and more features for user and device management, but the most important updates are around the Volume Purchase Program. VPP will be integrated into ASM, and license management will be much more logical.
- Any device (not just devices from authorized resellers) can be added to the Device Enrollment Program (DEP). Since DEP can permanently link a device to an organization, there’s a 30-day provisional period.
- MDM can now push iOS updates to supervised devices, even if they’re locked. (MDM could already push updates to unlocked DEP supervised devices.) The often-requested ability to delay iOS updates still isn’t happening, though.
- Back in 2015, Apple announced that some restrictions available to regular MDM-enrolled devices would get deprecated to just supervised devices. This is finally happening in 2018, and these restrictions include app installation, app removal, FaceTime, Safari, iTunes, explicit content, iCloud documents and data, multiplayer gaming, and adding GameCenter friends.
- MDM commands can be marked so that they only execute when the device has a wired connection (via USB or Ethernet). This keeps OS updates and app and book installations from clogging WiFi networks, and it can also be done in conjunction with the Content Caching service. Content Caching used to require macOS Server, but now it will be built into macOS 10.13 High Sierra.
- There are new controls to configure the home screen layout, apps, and content ratings in Apple TV.
- To go along with the WiFi restrictions in iOS 10.3, there are new VPN restrictions in iOS 11.
During the session, Apple issued a few challenges for the community: They encouraged MDM vendors to stay ahead on support (there’s a lot to keep up on with VPP, DEP, and now ASM) and to make sure that MDM is easy to administer (as the number of settings grows, there are more opportunities for devices to be misconfigured). They encouraged developers to think of new use cases for all the Apple TV management tools, and mentioned a case study where a UCSD hospital used MDM controls to link together iPads and Apple TVs in patient rooms.
Apple MDM continues to gain new features, and iOS 10.3 and 11 are no exceptions—clearly Apple has been busy.
However, we still have wish lists for more features. As Apple has expanded support for institutional devices, I think their support for BYOD use cases has stagnated. I wrote in detail about this earlier this year, so I won't go over them again now. Through conversations in the industry, I know this sentiment is common, so I’m somewhat disappointed there weren’t any big changes for BYOD.
If recent patterns continue, though, we might see another round of features in a minor release, like we saw in iOS 9.3 and 10.3.