When developing iOS 15 and iPadOS 15, Apple also thought about the needs of companies. However, the most serious changes will probably only really have an impact on future iOS / iPadOS versions. An overview. […]
Even if the business context of the new operating system versions iOS 15 and iPadOS 15 was somewhat lost at the keynote at WWDC 2021 – in the subsequent sessions of the Apple developer conference, adjustments for corporate use were very much an issue and there were a number of exciting announcements. We would like to present the most important ones to you here.
Currently, Apple offers managed open-in settings for (managed) contacts and (managed) apps / domains and files. With this setting, administrators can prevent data and content of managed apps from being moved to unmanaged apps (and / or vice versa). With iOS / iPadOS 15, the copy and paste function of the clipboard can now also be configured accordingly. This means that, on the one hand, information copied from corporate apps cannot be pasted into unmanaged apps. And vice versa, it is also possible to prevent information from unmanaged apps from being inserted into company apps.
Further innovations in this context:
- A mobile device management (MDM) system can now install a single “required” app on managed devices without prompting the user to provide user authorization. This is particularly useful when an administration application is required, such as the agent application of the MDM system itself.
- In addition, the MDM can retrospectively request the management of an unmanaged application if it was installed on a device by a user. The user is prompted to do this, provided it is not a device in supervised mode. This request asks the user to allow administration of the application. According to a new regulation from Apple, this prompt can only be displayed and rejected to the user up to three times, after which the prompt does not appear for 24 hours.
- Also important: users now have the option of updating to iOS 15 or iPadOS 15 or can still stay on iOS 14 and iPadOS 14 and only import bug fixes. On the other hand, however, administrators can force the iOS devices to allow all updates (e.g. upgrade to iOS 15) and / or only install updates of the current major version (e.g. bug fix for iOS 14).
- Apple is now demanding from MDM manufacturers that each payload within a configuration profile has its own unique identifier. The MDM manufacturers should have this implemented by the time iOS / iPadOS 15 is released. The new Declarative Device Management can also be activated using an MDM command.
Essentially, all of Apple’s MDM configurations are based on the same mechanism that has been in place since device management was introduced. Even though new options and functions have been continuously added to Apple’s MDM protocol over the years, the underlying structure of the protocol has remained largely unchanged. So far – because the practice that Apple now calls “reactive management” has now been followed by new concepts and mechanisms with “declarative device management”.
The background: So far, the MDM system has had to query a managed device in order to recognize changes such as installed apps, rolled out configurations and an operating system update. This is because an MDM system always has to provide a device with commands and commands so that it reacts – the device does not notify the MDM by itself. This is where the term “reactive” administration comes from.
The newly introduced declarative management is optimized for the MDM server and enables devices to be managed more autonomously and to react more proactively. In other words, devices can independently react to status changes and independently apply logic based on these changes without being prompted by the MDM server. In addition, devices can now notify the MDM server when relevant changes occur. Apple offers three areas in declarative management.
1. The declaration are used to deliver a policy – they can be used to configure accounts, settings, and restrictions. There are four types of declarations:
- Configurations: These are similar to the existing configuration profiles. One of the main differences between declarations and configuration profiles is that declarations are sent to devices in the form of a JSON object rather than a plist file.
- Assets: These are reference data that are required by configurations. You can reference data from the MDM server or from a separate content delivery network (CDN) service. These data can be general or user-specific. As an example, an asset can reference data from an identity provider to provide information such as username, email address, passwords, certificates, and so on. The asset could be used by multiple configurations. The advantage is that it is no longer necessary to update multiple configurations to reflect changes in this data, but only to change the asset.
- Activations: These represent templates for configurations that are applied to devices, similar to a “blueprint”. Activations have a many-to-many relationship with configurations. This means that complex logic can be applied to determine when to install individual configurations. In this way, administrators can, for example, set a series of policies that are only applied to a series of devices if they are running a certain operating system version. These policies are reevaluated when the device state (e.g. updated operating system) changes so that different policies can be applied without interacting with the MDM.
- Management: This type of declaration is used to determine (and convey) information about the status of the overall management of a device, such as: B. Organizational information.
2. The Statuskanal (Status Channel) enables an MDM server to subscribe to certain changes in device status. In this way, the system is able, for example, to receive notifications from devices where the operating system version is being updated.
3. The third area Expandability (Extensibility) in turn enables both MDM and devices to notify each other when certain functions are supported. If, for example, the operating system of a device is updated so that a function supported by the MDM is available, the device reports this and adopts the change from the MDM. Similarly, if the MDM service is updated to support a new feature that is compatible with the device: the system, notifies the device, and the device receives the change.
Important to know: Declarative Management is designed in such a way that it coexists seamlessly with the existing MDM protocol. This means that MDMs can gradually introduce the new functionalities without interrupting the existing functionalities.
Apple Configurator is a tool that provides basic management functions (such as the ability to apply profiles, install apps, and perform actions such as resetting a device, upgrading software, and enabling supervised mode) when a device is connected to Cable is connected.
The new version is dedicated to the management functions for macOS devices with the T2 / M1 chip. The new main functions include the deletion of all user data, the firmware recovery and the installation of a newer macOS version.
In addition, the Apple Configurator supports the ability to add macOS, iOS and tvOS devices that were purchased outside of a formal business channel to the Apple Business Manager or Apple School Manager with the so-called preliminary registration. This used to be impossible for macOS devices.
In 2019, Apple presented a modern bring your own device (BYOD) approach with iOS 13 and user enrollment. The stated goal of user enrollment is to improve and secure the way in which employees (BYOD) or service providers access company resources with their own devices.
With the new iOS 15 operating system, Apple is now going one step further and expanding user enrollment to include better protection of company data and user privacy: If a user logs on to a company network with a managed Apple ID with his personal device, he can Finally, access to a shared Enterprise iCloud Drive can also be granted. Even if he is logged in with his personal Apple ID, he has access to his personal and the Enterprise iCloud Drive at the same time. This helps protect company data by staying within the managed iCloud Drive area and not on an iCloud instance that is tied to the user’s personal Apple ID. The data separation can be (de) activated via the Apple Business Manager.
For years, photos and documents have been printed on paper using AirPrint-enabled printers. So far, only a few options for printing were available to the user. With the new operating system, the user can load presets, select the paper tray selection, media type and print quality and print PDF annotations (optional). The option to print in portrait or landscape format is finally available.
* Mark Zimmermann has several years of experience in the areas of mobile security, mobile solution creation, digitization and wearables and is responsible for a team for mobile solution development at EnBW Energie Baden-Württemberg AG. He knows how to present his topics from different perspectives for company-specific challenges. To this end, he works part-time at national lectures and as a freelance author for specialist publications and runs his own podcast (beta pain) on everything to do with the iOS ecosystem.