The 2018 Apple Worldwide Conference ran all last week, and the session that I was most interested in, What’s New in Managing Apple Devices, streamed live on Thursday.
I was hoping for a big update to how iOS 12 MDM handles BYOD, because I and many others in the EMM industry think it could be much better. Unfortunately, we were disappointed on that front. I wasn’t expecting anything quite as extensive as Android enterprise Work Profiles, because that’s just not Apple’s style, as you can read in this support document from 2017 (PDF). However, some sort of BYOD improvements would have been welcome. Oh well... EMM vendors are doing a lot to get around the limitations, so we’ll deal with it.
Let’s take a look at the iOS 12 MDM features that we did get, as well the general iOS updates that will affect the enterprise.
iOS 12 MDM updates
The WWDC session started by highlighting the recent changes that came with iOS 11.3 in March. I’ve already written about these, but the highlights were the ability to defer iOS updates on supervised devices, as well as a whole bunch of education program updates.
Apple Business Manager was also revealed March. It’s like the Apple School Manager: it leverages third-party MDM servers and acts as an interface to the Volume Purchase Program and Device Enrollment Program. It went live in the US on June 6, and will go live in 34 more countries on June 20, and then reach a total of 65 countries later this summer.
Again, most of the new iOS 12 MDM updates are fairly straightforward—none of them will make us rethink our EMM strategies. A few do that stand out are:
- Enforce automatic data and time on supervised devices;
- Use OAuth for managed Exchange accounts (also applies to macOS 10.14);
- Restrictions for password autofill on supervised iOS and on macOS; and,
- Commands to install public apps and tvOS updates on Apple TV.
For years, Apple has been warning that some restrictions will be moved from regular MDM to supervised mode. (Those restrictions apply to app installation, app removal, FaceTime, iTunes, Safari, iCloud documents and data, multiplayer gaming, Game Center friends, explicit content, and now also Siri restrictions as well.) Last year this change was promised for 2018, but now it’s going to happen in 2019, instead. Apple worked out the migration process with care—existing non-supervised devices using these restrictions will still support them when they get iOS updates in 2019; only after a full wipe will they stop respecting them.
On the macOS side, the MDM enrollment process in Mojave will match the iOS MDM enrollment process—that should be a win for user experience.
Other iOS 12 features
You can argue that every single iOS 12 feature (full list) will affect the enterprise in some way or another, but a few stood out to me.
First off, iOS 12 will support all the same devices that iOS 11 supported, i.e., devices from 2013 with the A7 processor (iPhone 5s, iPad Mini 2, and iPad Air.) iOS was already the support standard to beat; now it’s even better. Further, Apple is promising performance improvements for all these old devices. This will be a boon to all the older iPhones and iPads that are used in retail and other kiosk settings.
On the security front, iOS 12 is getting the restricted USB mode that was initially hinted for iOS 11.3 and 11.4. This helps protect against physical attacks from the likes of that GrayKey password cracking device that was in the news earlier this year. There will be corresponding MDM controls, too.
The iOS password autofill framework is getting support for 3rd-party password managers, and as a user, I’m pretty excited about this.
The iOS 12 beta is indicating that iPhones and iPads will apparently get automatic software updates. (Via 9to5Mac.) Since patching is so important for security hygiene and many users are bad at installing updates, I consider this a net positive. Some people are worried about potential issues with untested updates, but if this really is a concern for certain devices, then they should be supervised so that IT can delay the updates. (Plus, if nobody at a company is testing the iOS betas, then they need to get with the program.)
On the macOS side, Microsoft Office is coming to the Mac App Store, and macOS 10.14 Mojave will be the last version to support 32-bit apps.
Again, it’s unfortunate that Apple didn’t address the gaps for the BYOD experience in iOS 12 MDM, but overall, I think we can all agree that iOS management is fairly mature. Of course, it’s always going to be very different from traditional endpoint management, but hey, we’ve had a long time to get used to it, and really that’s the whole point.