At their latest Worldwide Developer Conference (WWDC) this past summer, Apple announced several new features in their soon-to-be-released iOS 17 and watchOS 10, noting an emphasis on communication changes and on-device intelligence.
For this blog post, we will focus on the new enterprise features, allowing easier and more advanced management of end-user devices while simultaneously improving the end-user experience and privacy.
UEM vendors are currently working on integrating all new enterprise features and management capacities brought by the new OS updates into their own solutions, so they are ready when officially released by Apple. In the meantime, Beta versions are already officially and publicly available, for any customers willing to test them in advance on some test devices.
New Device Enrollment Features
Account-Driven Device Enrollment
Apple is introducing Account-driven Device Enrollment, a new enrollment process, similar to Account-driven User Enrollment used for BYOD deployments, but this time for COPE deployments, where end-users can enroll their company-owned device using the “Sign in to Work or School Account” option and their Manage Apple ID with a similar workflow, without the need to previously download any UEM agent. Corporate data and personal data are also cryptographically separated on the device, stored on different partitions.
Return to Service
To improve the process of migrating iOS/iPadOS devices, for example between different MDM solutions or when assigning a device to another employee, Apple will introduce a new feature called Return to Service, that will allow MDM solutions to provide complementary information to the devices when sending their device wipe command, including Wi-Fi details and enrollment instructions. This way, once all data is erased, the device will automatically connect to the Wi-Fi network and proceed to the Home Screen, ready to use; previously configured language and region will be kept, as well as eSIM data plan for cellular devices.
For customers using Automated Device Enrollment (ADE) with Apple Business Manager (ABM), the device will also enroll automatically with the new MDM solution, and provisioned with policies, profiles, apps, and other enterprise content.
Enrollment Restrictions for Automated Device Enrollment (ADE)
Using Apple Business Manager (ABM), it is now possible to ensure devices are complaint before even allowing them to enroll. For example, that said devices are running a minimum OS version, have device encryption enabled and/or that they can only be enrolled using Automated Device Enrollment (ADE). This ensures devices are up-to-date and secure before deploying any corporate data, in the form of apps and documents, into them.
Apple Configurator for iPhone
Introduced last year with iOS 16, Apple Configurator for iPhone allowed administrators to add Apple devices into Apple Business Manager (ABM) organization easily. Then an IT admin with the Device Enrollment Management role would need to manually assign these devices to the right MDM server, under the ABM web portal.
Now, that IT admin can not only add the device to the organization but also assign it to an MDM server, directly from the Apple Configurator for iPhone app, with three options:
- Do not assign to an MDM server
- Assign to the default MDM server
- Assign to a manually selected MDM server
New Device Management Features - iOS 17 and iPadOS 17
Declarative Device Management
Apple announced three important new features for Declarative Device Management (DDM), the management protocol introduced with iOS 15 that allows devices to be more autonomous and proactive, by reacting to their own state changes and applying management logic to figure out which actions need to be taken and carry them out directly.
Software Update Management
A new configuration will allow for software update enforcement, as administrators will be able to specify a date & time for devices to self-perform OS updates, including Rapid Security Response (RSR) security fixes. A new notification system will allow users to alert employees ahead of a coming upgrade, recurrently so they have time to apply it; otherwise, when the defined deadline is passed, the upgrade will be enforced. This provides IT administrators with extra controls over the update process giving end-users are more informative and consistent experience, delivers a better and more informative experience to the end-users, while also ensuring those critical software updates happen in a timely manner, keeping the whole enterprise fleet of devices secured and in control.
Certificates and identities can now be defined as declarations, which can be reused by several configurations, removing both the need to deploy them multiple times on the same device for different profiles. New configurations will also allow users to deploy stand-alone certificates and identities into the device keychain. This will greatly simplify the management and deployment of certificates and identities on mobile devices.
A new configuration to manage applications is also planned, allowing administrators to deploy both App Store, Custom and internal apps to managed devices, as well as associated app configuration and per-app VPN when needed. This will also IT administrator to deploy apps on end-users’ mobile devices, already provisioned with all they need, and so ready to use by the employees.
watchOS 10 brings device management to Apple Watch devices, allowing enterprise customers to deploy and manage apps, manage certificates for authentication and identity, collect device attributes and configure profiles (e.g., Restrictions, Passcode, Wi-Fi, Per-app VPN) remotely and centrally, using an MDM solution.
Apple Watch must be paired with a supervised iPhone, with Watch Enrollment Declarative Device Management (DDM) configuration installed. iPhone and Apple Watch will then be
managed together, sharing apps and restrictions.
New Network & Connectivity Features
Network Relay Support
iOS/iPad 17 will now natively support the use of relays, an alternative to traditional VPN connections, to securely provide access to enterprise resources located behind the firewall. Supported proxy types include MASQUE Relays, Oblivious HTTP, Secure HTTP CONNECT, HTTP CONNECT and SOCKSv5. There will be configured from an MDM solution using a new Managed Relay profile, including the scope of use, for example limit it to specific managed apps (per-app), specific domains (per-domain) or the entire device (default route).
This is compatible and can be used in combination with the iCloud Private Relay consumer feature introduced with iOS/iPad 15 for iCloud+ subscribers, to protect privacy when browsing the Internet with Safari by masking IP address and DNS records using Apple-operated relays and third-party content providers.
Private Cellular Networks
iOS17 and iPad17 bring support for private networks like private LTE, standalone (SA) and non-standalone (NSA) 5G networks on iOS/iPadOS devices, allowing organizations to provisioning them using an MDM solution. Private network SIM are power-efficiently activated based on geolocation, and devices can intelligently select between private & public-network SIMs for the most efficient data connection. Also, cellular devices can be set to prefer a private cellular network over any available Wi-Fi one.
Apple added support to iPhone and iPad for 802.1X Ethernet configurations profiles, already available for macOS computers, to allow connectivity to restricted ethernet networks requiring authentication.
Availability from MDM Vendors
Both iOS/iPadOS 17 and watchOS 10 are expected to be publicly available in or around September 2023; developer and beta versions are already made available for app developers, MDM vendors and enterprise customers, so they can test the new features already, deploy new apps and adapt their MDM solutions to support them.
Major MDM vendors confirmed that they will provide Day 0 support for iOS17 and iPadOS 17, and watchOS in most cases (at least partially), which means those devices running these OS versions will
be manageable using their solution, although not all new enterprise management features brought by Apple will be available and actionable yet.
Compatibility with Existing Apple Devices
Although iOS17 will be available on a wide range of iPhones, it requires the A12 Bionic chip or later, which means iPhone 8, iPhone 8 Plus, and iPhone X will not get the update; this should be considered by organizations, that might want to consider removing these devices from their list of approved devices, since they will not be able to take advantages of all the benefits, not only in term of functionality, but also of security, brought by that new OS update.
Regarding Apple Watch devices, watchOS 10 requires iPhone XS, iPhone XR or later with iOS 17 and an Apple Watch SE, Ultra, Series 4 and later.
It is important for enterprises to pay attention to updates to help lower security vulnerabilities and ensure their devices run smoothly. The team at ISEC7 can help with incorporating the new iOS 17 into your pre-existing enterprise deployment to ensure all business and operational use cases are addressed. ISEC7 is your premier one-stop-shop for all your mobility and security needs, further shaping and improving efficiency in your digital landscape. Please feel free to contact us with any inquiries and we would be happy to assist you.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group