At WWDC, Apple hones in on device management
Apple managed to pack a lot into one keynote and one week at WWDC 2023. The Apple Vision Pro was a show stealer, followed by the new 15-in. MacBook Air, updates across Apple’s entire lineup of platforms, notable changes coming in watchOS 10 and the expansion of widgets in all directions.
Unlike last year, there wasn’t a lot of time dedicated to the enterprise. Blink while scrolling through the sessions list and you could easily miss the few that applied to business and education. But there were some important trends to note, especially with declarative device management (DDM).
As far as Apple is concerned, it's the future — and everyone needs to get on board.
DDM was teased in 2021 and fully articulated it last year, but it's generally flown a bit under the radar. It’s supported for several management use cases alongside traditional mobile device management (MDM) profiles and device queries.
The entire purpose of DDM is to move much of the logic for securing and managing devices onto the devices themselves. This allows an iPhone or iPad, for example, to configure itself and make changes as the state of the device changes — and only alert an MDM server when such events occur or in response to new declarations that are released.
This has multiple advantages for IT, including the ability to support multiple and complex configuration declarations that are activated in response to how a device is being used (and by whom). In addition to this streamlining approach, security is ratcheted up because the device can monitor and implement changes immediately as needed, even if it can't reach the MDM server. Another advantage: network and server loads are reduced because device states no longer need to be repetitively queried.
Apple drew a line in the sand last year, saying that DDM would eventually supersede the company's older MDM framework. This year, it expanded the use of DDM to include software update states, allowing devices to handle the installation of software updates themselves. This should result in more timely and consistent update management.
In addition to that, DDM has gained the ability to deploy and manage certificates. On Macs, DDM will be able to manage services and standard tools such as bash, zsh, and sudo in more autonomous fashion. (These changes come the requisite reporting capabilities.)
What’s more notable than the expanded DDM functions themselves is that Apple is now providing MDM vendors with the tools to seamlessly switch from traditional MDM profile-based management to declarative management.
Until now, this kind of switch meant removing the management profile(s) from a device and then replacing them. This created additional tasks and meant that there would be a brief period where features were unmanaged between profile removal and receiving and activating declarations. Moving forward, DDM will take over the functionality of existing profiles without those profiles being removed first.
The message is clear that Apple is moving to make DDM the standard. Given that iOS 17 and macOS Sonoma will be the third generation of Apple’s operating systems to feature declarative management — with each doing so with greater functionality — it’s obvious that Apple will eventually deprecate and move away from more traditional profile-based MDM.
Right now, the onus is mainly on MDM vendors to shift to DDM, and do so with as little friction for administrators and end users as possible.
As I noted last year, however, it could have implications for businesses and schools still using older devices. As devices age out of the ability to run newer operating systems, they might still rely on traditional management processes. That means IT admins should begin to consider devices that can’t run this year’s releases as likely needing replacement.
Along with the push for declarative management, Apple put a focus on both securing and simplifying the enrollment process. Automated device enrollment can ensure that a device meets certain security requirements, such as checking for FileVault protection or the version of a device’s operating system as well as whether it’s eligible for enrollment.
To speed enrollments, particularly mass deployments, Apple has not only improved Apple Configurator but also introduced Shortcut for common deployment processes, allowing for more automation and less hands-on work. And for devices being redeployed (such as when an employee leaves or the end of a school year), the new Return to Service feature streamlines the process of erasing and re-enrolling a device.
For deployed Macs, it's no longer possible to skip enrollment — even if there is no connectivity. This ensures there’s no point at which a Mac is left in an insecure or unmanaged state before use.
Along with the ongoing shift to DDM, these features demonstrate Apple’s commitment to both security and simplicity. The company is looking at its products and their enrollment, activation, and use processes and is actively removing as many points of friction, delay, or frustration as possible. This isn’t surprising for a company so obsessed with seamless user experiences, but it’s nice to see that Apple is tackling that experience for both the end user and the IT professional behind the scenes.
In addition to these typical security areas, Apple is also offering some out-of-the-box features. One allows network relays to replace VPNs. (Apple had previously rolled out the use of multiple relay points as a way to protect web browsing and internet use.) Now, it's bringing the technique to businesses, claiming it offers a secure and less resource-hungry alternative to VPNs. The feature can be managed by MDM (as can VPN configuration). How broadly this will be adopted remains unclear, given that it represents such a different security approach. But it's a noteworthy feature move from the consumer side of things to the enterprise.
Another feature is the ability to use MDM to enable and manage eSIMs on iPhones and cellular iPads for 5G slicing and private 5G/LTE networks. The use of these networks is gaining ground among organizations, because it allows for certain service levels and latency and can provide connectivity overlarge or remote areas where Wi-Fi isn’t an option.
Other security improvements include the expansion of device attestation, introduced last year to ensure only authorized devices can access enterprise resources, to report more device info such as type and OS; improvements to enterprise single sign-on; and expanded use of Managed Apple IDs combined with identity management federation.
One of the common themes across the various enterprise-oriented sessions and announcements at WWDC is that Apple is building features that address the needs and pain points of enterprise admins. Even the ability to manage Apple Watches (finally) as enterprise devices reflects that the company is aware of the ways its products get used in business and education and is responding to both markets.
In short, Apple is listening to enterprise users rather than dictating how its products and services must be used in the business world. This isn’t the same company that was once an outlier in the enterprise. This is a company that is now deeply engaged with the business world and is putting its immense problem-solving skills into partnering with the enterprise.