| contributors |
|---|
MarcoEidinger |
This sesson recommends in-deepth sessions about
- Managed Apple IDs received updates to Continuity, Apple Wallet, and iCloud Keychain. (WWDC23 "Do more with Managed Apple IDs")
- Businesses can now go passwordless with passkeys. (WWDC23 "Deploy passkeys at work" to learn more)
- Declarative device management has been significantly enhanced and supports new ways to deploy applications, certificates, and on macOS, even manage common service configuration files. (WWDC23 "Advances in declarative device management")
- Apple Watch enrollment is now possible, supporting even more institutional use-cases. (WWDC23 "Discover watchOS management")
This session focus is on additions for
- device management on macOS
- device management on iOS and iPad
- Enforce FileVault
- Enable during Setup Assistant
- Show recovery key
- Escrow to MDM
- Require a minimum OS Version
- Enforced Automated Device Enrollment
- Platform SSO in System Settings
- Create local user account just-in-time
- Enabled by the new
UseSharedDeviceKey - Requires the device to be
- Online
- At login window with FileVault unlocked
- Managed by an MDM supporting Bootstrap Tokens
- Username and passwords or SmartCards
- authenticate at the login window and screen saver
- Standard, administrator, or group defined permissions
- Mapping of Identity Provider groups
- Non-local users at authorization prompts
- Exceptions:
- Current user
- SecureToken or ownership
- Password policies with regular expressions
- Password compliance management
- Verify compliance after a password has been set
- Notification is shown during an active log-in session
- Password change notification prompted on next login
- Apple ID login and Internet Accounts
- Adding local-user accounts
- Device name
- Fingerprints for Touch ID
- Individual sharing services
- Siri
- Startup disk
- Time Machine
- Devicelnformation attestation ACME attestation
- Supports hardware-bound keys
- Stored in data protection keychain
- VPN, 802.1x, Kerberos, Exchange, MDM
- SIP status (Apple silicon Macs onlv)
- Secure Boot status (Apple silicon Macs only)
- Third-party kernel extensions allowed (Apple silicon Macs only)
- LLB version
- OS version
- Software Update Device ID
- Secure Enclave Enrollment ID
- Managed Device Attestation
- Hardware-bound private keys with ACME
- Platform SO supports local-user creation
- Support regex in passcode configuration
- Configure automatic login
- Configure built-in relay network extension
- Define order of transparent proxy extensions
- Enforce FileVault
- Require a minimum OS Version
- Enforced Automated Device Enrollment
Devicelnformation (ModelNumber, Battery Level, EACSPreflight)
- allowAccountModification
- allowAssistant
- allowCloudFreeform
- allowDeviceNameModification
- allowFingerprintModification
- allowLocalUserCreation
- allowRemoteAppleEventsModification
- allowARDRemoteManagementModification
- allowStartupDiskModification
- allowTimeMachineBackup
- allowBluetoothSharingModification
- allowFileSharingModification
- allowInternetSharingModification
- allowPrinterSharingModification
- App management
- Certificate
- Config file
- Passkey
- Screen sharing
- Software update
- Background tasks
- Device model
- FileVault status
- Installed apps
- Installed certificates
- Software update
- Package can contain multiple applications
- Multiple applications are manageable
- MDM can remove individual applications
- Content outside /Applications is not managed
- New
ReturntoServicedictionary inEraseDevicecommand- Provide Wi-Fi settings
- Include an enrollment profile
- Previous language and region settings get applied
Requirements:
- Teacher and student in the same Apple School Manager location
- Local proximity of the devices
- Students have authorized the teacher on personal devices
AwaitUserConfigurationallows you to fully configure a device after loginSkipLanguageAndLocaleSetupForNewUsers- Configure quota for temporary users on Shared iPad
- iPhone and iPad support private LTE, standalone and non-standalone 5G networks
- Power efficient activation of private-network SIM based on geolocation
- Intelligent selection between private and public-network SIMs
- Option to prefer cellular over Wi-Fi
- Configure managed apps to use specific 5G network slice
- Slice name for
CellularSliceUUIDto be defined by the carrier - Mutually exclusive with VPN configurations
- Access enterprise resources without a VPN
com.apple.relay.managedpayload type andNERelayManagerAPI- Per-app, per-domain, or default route configurations
- Compatible with iCloud Private Relay
- Configure private network geolocations
- Prefer cellular over Wi-Fi
- Assign managed apps to a 5G slice
- Configure built-in relay network extension
- Remove never from inactivity settings with User Enrollment
- 802.1X support for ethernet connections (incl. tvOS)
- Configure quota for temporary users on Shared iPad
- Require minimum OS version
- App management
- Certificate
- Passkey
- Software update
- Device model
- Installed apps
- Installed certificates
- Software update
- Return to service
- Show model number
- AwaitUserConfiguration on Shared iPad
- Skip language and locale selection for new users
- TapToPayScreenLock
- APN payloads
- Top-level cellular keys in Devicelnformation
- allowAutoUnlock
- allowSharedStream
- allowInAppPurchases
- safariAllowJavaScript
- safariAllowPopups
- safariAcceptCookies
- allowFingerprintForUnlock
- allowSpotlightInternetResults
- allowGlobalBackgroundFetchWhenRoaming
- llowBookstoreErotica
- ratingApps
- ratingTVShows
- ratingMovies
- allowExplicitContent
- allowCloudPhotoLibrary
- allowCloudDocumentSync
- allowActivityContinuation
- allowCloudPrivateRelay