At their latest Worldwide Developer Conference (WWDC) this past summer, Apple announced several new features in their soon-to-be-released iOS 15, noting an emphasis on communication changes and on-device intelligence. For this article we will focus on the new enterprise features, allowing easier and more advanced management of end-user devices while simultaneously improving the end-user experience and privacy.
What’s New in Managing Apple Devices
VPN & Device Management
For end-users to have a comprehensive understanding of how their device is being managed by the enterprise, VPN and Device Management information have been combined into a new unique view, displaying VPN profiles, managed accounts, and configuration profiles – similar to the single pane of glass achieved with ISEC7 SPHERE.
Enforcing specific apps on supervised, corporate-owned devices is seamless; doing so on unsupervised, personal-owned ones – usually used for BYOD programs – so far has not been possible.
With Required App, it is now possible for the enterprise to specify one app that will be installed without prompting the user for permission, although user consent is still required initially during the enrollment process; a managed app attribute can also be set to ensure the user cannot remove it.
Some use cases include deploying UEM agent used by company UEM software to configure and manage devices, or a mission critical app all employees need to have for business purpose.
Securing data exchange between apps on the device is a crucial part of preserving Data Leak Prevention (DLP) and Managed Open-In would already allow to control whether data could be exchanged between managed, work apps and unmanaged, private apps.
With Managed pasteboard, that security has been achieved by restricting the copy/paste function. The paste button will always be available, however, and if not allowed to paste content to a specific location due to a restriction, the user will get a “Paste Not Allowed” notification, including the name of the company enforcing that restriction. System apps including Calendar, Notes, Mail, and Files will natively apply that new restriction; all other apps, like third-party, will also be able to without any change required.
Existing Apple MDM protocol, used to manage any kind of Apple devices, from iPhone to iPad, macOS computers or Apple TV devices, is considered a reactive protocol, meaning each management actions is triggered by the back-end management server (e.g., UEM software) and involves multiple back and forth exchanges between both parties before it completes successfully.
New Declarative management protocol allows devices to be more autonomous and proactive by reacting to their own state changes by applying management logic to figure out which actions need to be taken and carry them out directly. For example, prompt the user to remove an unapproved app that caused the device to become uncompliant, and that proactively, without asking the management server what to do. Once back to compliant status, device would eventually report that back to the management server, using a new status communication channel, as well as anytime important status changes occur (e.g., OS upgrades installed).
It is important to note that both protocols will co-habit together, allowing MDM software vendors to gradually adopt these new functionalities without interrupting the existing ones.
Account-driven User Enrollment
The user Enrollment process, used for BYOD deployments where end-users use their own personal device, has been simplified with a new onboarding flow. No UEM agent needs to be downloaded anymore, but instead the user simply needs to authenticate using his Managed Apple ID provided by the company, using the “Sign in to Work or School Account” option located under the new VPN & Device Management section.
Shared iPad for Business
Shared iPad functionality, allowing iPad devices to be shared amongst several users in an enterprise scenario using their Managed Apple ID, has been extended to allow users to also log in using their own private Apple ID, as a temporary user. After they log off, all data associated with that user account will be removed from the device (e.g., Safari browsing history, user setting files, etc.).
On top of that, new restriction policies have been added, allowing to limit access to only temporary users and set a maximum time a temporary user or just any user can be logged in.
The team at ISEC7 can help with incorporating the new iOS 15 into your pre-existing enterprise deployment to ensure all business and operational use cases are addressed. ISEC7 is your premier mobility and security team that can augment your existing team. Please feel free to contact us with any inquiries and we would be happy to assist you.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group