Apple’s spring enterprise mobility management updates are all out, so let’s talk about them!
Last week at the Apple event we learned about: a new base-model iPad with support for the Pencil and ARkit; lots of new educational apps; the Classroom app is coming to Mac; and iCloud accounts for education will get 200GB of free storage.
As I wrote, some of Apple’s education efforts are useful, but overall education is a complicated and crowded field; most students need laptops; and Chromebooks are very attractive.
Also, we can’t help but thinking that multi-user iPads, currently restricted to education, would be very useful in the enterprise and for families. Oh well... maybe someday they’ll change their mind.
Apple Business Manager
Apple Business Manager, which is currently in beta, is the enterprise equivalent of Apple School Manager. It’s an interface that can be used to manage the Device Enrollment Program, the Volume Purchase Program, and Apple IDs. While you can use it to do some MDM-related tasks, it doesn’t replace MDM and you still need to bring your own third-party server, i.e. your usual EMM provider, or at least macOS Server Profile Manager. This has obvious value in providing a streamlined way to work with DEP, VPP, and Apple IDs, though of course EMMs have been working on this for years, too.
Apple School Manager and Business Manager make me think that it would be useful if Apple just went ahead and created its own cloud MDM service—this would make it much easier for smaller businesses and individual schools and teachers to roll out devices. This obviously wouldn’t be anything that competes with major EMM vendors, rather it would be a simple option for organizations with limited IT resources.
macOS kernel extensions and User Approved MDM
A recent step in locking down desktop operating systems was macOS High Sierra introducing User Approved Kernel Extension Loading. Kernel extensions, a.k.a. KEXTs, are used by software such as security, video, and virtualization applications. The user approval requirement has lead to corresponding MDM controls for KEXTs in macOS 10.13.2. VMware provided an explanation in their support article, plus you can head to Apple Support for more.
macOS 10.13.2 is also introducing the concept of User Approved MDM. This isn’t as radical as it sounds—it just means that if you use an agent or script to automatically enroll a Mac in MDM, or try to enroll over a screen sharing session, the enrollment has to be approved by the user before certain payloads work. If the device is enrolled by the user or via DEP, MDM is already considered approved, so nothing changes. So far, the only payload affected by this concept is the KEXT policy payload. Here’s VMware description of the process. This all makes sense to me, as this is another way of ensuring user control over BYOD devices.
Like iOS 11.3, MDM for macOS is now gaining the ability to defer OS updates.
Here’s what’s new for MDM in iOS 11.3:
- The much-discussed, long-sought, and very welcome ability to defer OS updates. This only works for supervised (read: corporate-owned) devices. On a related note, the MDM command to update software (again, just on supervised devices) can now designate a specific version, instead of just the installing the most recent version.
- More controls over content and ratings in iOS and tvOS.
- Controls for pairing the Apple TV remote app.
- MDM commands to turn Bluetooth on or off.
- It is now possible to update enterprise app while in Single App Mode. This was actually an iOS 11.2 thing. Here’s more from VMware and com.
For more details, you can head to Apple’s Configuration Profile Reference and MDM Protocol Reference and search for 11.3. The deployment references (iOS, macOS, tvOS) don’t appear to be updated as of Friday, when I wrote this, but check in on them soon.
When installing the update on my personal iPhone, I noticed one more feature in the notes, iPad charge management. It “maintains battery health when iPad is connected to power for prolonged periods of time, such as when it is used in kiosks, point of sale systems, and stored in charging carts.”
Lastly, according to the notes for one of the 11.3 betas, contacts are now treated as managed data. This is similar to the ‘open in’ controls introduced all the way back in iOS 7. If an app or email account is managed by MDM, then associated contacts cannot be accessed by unmanaged apps and accounts. I’m haven’t seen final documentation, but it appears that it made it in.
There’s still work to do
With Apple’s Worldwide Developer Conference just a little over two months away, one thing is on my mind: The work/personal data separation features in iOS (a.k.a. OS-level MAM, platform MAM, etc.) are in desperate need of an upgrade.
I first got up on this soapbox over a year ago. Since then, Android enterprise, which has far more advanced work/personal separation features, has been gaining momentum. On top of that, with #DeleteFacebook in the news and GDPR about to take effect, privacy is an even bigger concern. But in iOS 11 last year, there was barely any change.
I can’t state it clearly enough: It’s time for a revolutionary update to iOS MDM and built-in MAM.
Today, customers and vendors are going to great lengths to make app-level MAM work. There will always be many EMM use cases that call for an app-level approach, SDKs, and app wrapping; and many users will opt to just have separate devices. Also, some of headaches are caused by the proprietary Intune MAM controls in the Microsoft Office Mobile apps.
However, many of the headaches around iOS and MAM could certainly go away if Apple would make some improvements to its MDM and app management frameworks. I’m thinking, ‘this has got to be the year, right?’ but I’m not holding my breath.