Apple made plenty of announcements last week at their Worldwide Developer Conference; from Apple Intelligence, to the upcoming iOS 18, iPadOS 18 and macOS Sequoia, and many more targeting end users and the Apple developer community. While we can’t recap every single feature and update, I wanted to highlight a handful of them that will affect any administrators using Apple devices in their environment, as well as the tools used to manage those devices.
Table of Contents
Apple Intelligence
At the forefront of WWDC24 is Apple’s foray into generative artificial intelligence, aptly named Apple Intelligence (“AI”, anyone?). Apple Intelligence combines on-device processing for many tasks, Apple’s Private Cloud Compute for larger server-based models, as well as the ability for end users to opt-in to using 3rd party models, primarily OpenAI’s ChatGPT at the outset. All of this works together to enable a plethora of new features – from Writing Tools rewriting or summarizing text, Image Playground allowing for the artificial creation of an image from a description, and a new-and-improved Siri that’s smarter than ever.
Now, I’m not going to deep dive into the minutia of the announcements in this post – but I do want to start addressing the question of “As an administrator with Apple devices in my environment, how will Apple Intelligence impact me?”
The first aspect to note is which devices will be able to use Apple Intelligence once it releases later this year. In addition to requiring devices running iOS 18, iPadOS 18, or macOS Sequoia, only recent device hardware will be supported:
- iPhone 15 Pro or Pro Max, or later
- iPad Pro or Air with an M1 processer or later
- Macs with an M1 processor or later
One of the primary questions around the use of AI systems relates to data access and retention by those systems. I’ll touch more on device and user privacy momentarily, but I wanted to specifically highlight Apple’s commitment to privacy in the design of their Private Cloud Compute platform. Of course, if a user opts into using a 3rd party tool such as ChatGPT, privacy considerations of those platforms must be considered as well.
The most singular question that needs to be answered for an administrator of Apple devices is what level of control exists for managing a device’s use of 1st-or 3rd-party AI capabilities. As Apple Intelligence is not even in beta yet, Apple has not yet published any available controls. However, at NinjaOne we’ll be monitoring the beta process of both the new device OS and Apple Intelligence releases and will ensure administrators using our platform to manage their Apple devices have access to any available controls as quickly as possible.
Privacy
Perhaps unsurprisingly, user privacy was also a central focus of Apple’s announcements, even beyond the considerations related to Apple Intelligence. Beginning with macOS 13, end users were notified when any installed app would contain a component that runs in the background. These processes could also be disabled via System Settings, to prevent them from doing so. Accordingly, administrators could deploy a Managed Login Items MDM payload to approve managed applications running in the background. This would streamline the user notification process as well as prevent the processes from being disabled. macOS Sequoia has expanded this behavior from login/background tasks to more types of extensions, including Spotlight importers, Dock tiles, smart card reader drivers, color panels, and media extensions.
With macOS Sequoia, Apple is introducing App group container protection. App developers will be able to keep all app data sandboxed within a defined app container. This container can be limited to an individual app, or potentially defined as a shared container for multiple apps created by the same developer. Users will be notified any time a non-approved app attempts to access data from an app container. The user will have the ability to deny the request. To be clear, with macOS Sequoia these app containers can be optionally implemented and are not a required component of the OS. In any case, this is a significant step toward advanced DLP native to macOS.
Users with iOS 18 or iPadOS 18 will have the ability to lock or hide any installed apps. Locking an app means that it will require authentication (such as through Face ID) to launch, and app contents will otherwise be fully hidden across the system. Hidden apps will have the same protection, but also won’t be visible on the device home screen. The ability to lock or hide apps can be managed for the whole device by organizations on supervised devices, or individually for managed apps for all enrollment types. Rest assured, hidden and locked apps will still be visible to MDM software inventories for managed devices, and even for user enrollments all managed apps that have been hidden by the user will still be visible.
Apple Device Management
New and improved software update management
Last year, with iOS 17, iPadOS 17, and macOS Sonoma, Apple introduced a new way to deploy and enforce specific OS updates using their Declarative Device Management (DDM) protocol. Administrators could simply specify a target version, as well as a date and time at which the update would be enforced, and the device would take care of the rest: downloading and preparing the update, periodically notifying the user that the update is available, and when the deadline passed, forcing the update to occur.
Later this year with iOS 18, iPadOS 18, and macOS Sequoia, Apple is moving another step forward by consolidating all existing software update management controls, as well as a few new ones, into a singular declarative configuration. Using this unified configuration, administrators will be able to manage the following capabilities (and more!) on each of these platforms:
- Defer the availability of new OS versions up to 90 days from release.
- Allow users to install or roll back Rapid Security Responses.
- Control the native device behavior when new updates are identified (Download, Install OS updates, Install security updates).
- Allow enrollment of the device into an OS beta program.
- (macOS only) Allow standard user accounts to manually install OS updates.
In addition, there are new granular controls that allow administrators to automatically enroll devices into specific beta programs through their AppleSeed for IT account. This can even include automatically installing a beta OS during Automated Device Enrollment (ADE).
Networking and connectivity updates
Apple platforms already support MAC address randomization – where a device would randomly generate a different MAC address for each Wi-Fi network that it joined. Accordingly, administrators could also choose whether this feature should be enabled or disabled for any managed Wi-Fi networks that they configure for devices. With their upcoming OS upgrades, Apple is taking this a step further with their “Rotate Wi-Fi Address” feature. Now, in addition to generating a unique address per Wi-Fi network, that address will also periodically rotate over time. If you have an infrastructure that depends on a persistent MAC address to operate correctly, make sure to investigate how this new capability interacts with it, and how it can be managed appropriately.
iOS 18 and iPadOS 18 also introduce a host of new capabilities related to cellular connectivity. Administrators will have the ability to define that the eSIM should always be preserved whenever a device is erased, as well as restrict the ability to transfer a current eSIM configuration. Per-app VPN will now support 5G network slicing, and the device can support up to 5 unique private networks, which can be configured through MDM.
Safari extension management
With the upcoming iOS, iPadOS, and macOS releases, Safari extensions can now be directly managed by administrators. Individual extensions can be permanently enabled or disabled, or else allowlisted for the end user to control as they choose. Extension website access can be configured by specifying individual domains or sub-domains. Finally, these capabilities are all fully supported with Safari Private Browsing as well.
New macOS Sequoia management capabilities
macOS Sequoia will include some additional management capabilities that are directly relevant to administrators. A new disk management configuration will allow administrators to manage whether devices are able to mount external and/or network storage devices or restrict them to read-only. Platform Single Sign-on has been expanded and can allow IdP-based authentication for FileVault, the lock screen, and the login window, as well as support for various new authentication methods.
Administrators will also be able to securely install executables and launchd configuration files in a tamper-resistant location. This will enable the secure deployment of any additional IT management tools, as well as ensure that managed background tasks cannot be easily overridden by the end user.
visionOS joins the show
While the initial launch of visionOS did support MDM in a basic capacity by allowing account-driven enrollment and limited payloads, visionOS 2.0 significantly expands that by supporting Automated Device Enrollment for organization-owned devices. Apple Vision Pro will also now support most common MDM configurations and payloads such as passcode, web content filters, many device restrictions, the device lock command, and much more. Integration with Apple Apps and Books is fully supported, allowing for the seamless deployment of apps to managed devices. Finally, any developers that are looking to take advantage of Apple Vision Pro’s spatial capabilities will have several new enterprise APIs that they can take advantage of, for use cases such as main camera access, Apple Neural Engine access, or spatial barcode and QR code scanning.
A call to action
In this article I’ve only touched the surface of Apple’s many new announcements, but I wanted to highlight those that I found most impactful and interesting. I strongly encourage any administrator who has Apple devices in their environment to view Apple’s WWDC24 sessions that seem most directly relevant to them, or even to review many of the general recap articles out there.
For those who are using NinjaOne to manage your devices, or even considering using NinjaOne in the future, let us know which upcoming features you’re most interested in, or which ones will be most critical and impactful for you! Apple has already made beta software and documentation available for many of these new capabilities, so it is never too early to start testing and learning the impact that these new releases will have in your existing environment.
Further viewing and reading
- Apple’s WWDC24 homepage
- A few notable sessions in particular:
- Apple preview pages: