WWDC26 device management updates
Note: The features discussed on this page are pre-release versions and may be incomplete, changed, or removed before final release.
The content below is listed in order of operating system versions, then the number of operating systems affected:
Network configurations
New network configurations available in declarative device management allow applying consistent network policies on devices across every major platform. Thanks to the benefits of declarative device management, IT teams can provide a credential as a declarative asset for authentication purposes instead of bundling it in the same profile. This makes renewals of those credentials automated and seamless for IT teams and users and also allows the same credential to be used across different network configurations.
Configuration | Supported 27.0 platforms | Descriptions | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| iOS, iPadOS, macOS, tvOS, visionOS | Configures VPN using a VPN plugin | |||||||||
| iOS, iPadOS, macOS, tvOS, visionOS | Configures IKEv2 VPN | |||||||||
| iOS, iPadOS, macOS, visionOS | Configures IPsec VPN | |||||||||
| iOS, iPadOS, visionOS | Configures Always on VPN | |||||||||
| iOS, iPadOS, macOS, visionOS | Configures a DNS proxy network extension | |||||||||
| iOS, iPadOS, macOS, visionOS | Configures encrypted DNS settings | |||||||||
| iOS, iPadOS, macOS, visionOS | Configures network relay settings | |||||||||
Configuration profiles as declarative assets
Currently, if a legacy profile is provided, the URL needs to point to the device management service and access is authenticated with the device identity certificate.
To provide a smooth transition, declarative device management supports deploying legacy profiles as configurations.
On devices with iOS 27, iPadOS 27, macOS 27, tvOS 27, visionOS 27, and watchOS 27, legacy profiles can be delivered as declarative assets. This allows for additional flexibility as to where those profiles are hosted and how devices authenticate to retrieve them. Also, declarative device management has built-in integrity verification to help ensure the downloaded asset isn’t modified.
When the configuration gets applied, the device downloads the profile from the URL. IT teams can configure this using the new ProfileAssetReference key available in the following configurations:
Configuration | Supported 27.0 operating systems | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| iOS, iPadOS, macOS, tvOS, visionOS, watchOS | ||||||||||
| iOS, iPadOS, macOS, tvOS, visionOS | ||||||||||
Increased network security requirements
On devices with iOS 27, iPadOS 27, macOS 27, tvOS 27, visionOS 27, and watchOS 27, select system processes enforce stricter network security (TLS) requirements. These new requirements might cause connections to fail if the device management service doesn’t meet them. The affected processes are those involved in activities related to device management, Automated Device Enrollment, configuration profile installation, app installation, and software updates. Device management services need to support TLS 1.2 at a minimum using cipher suites and certificates that meet new App Transport Security (ATS) requirements.
For additional details on affected processes, requirements, and how to audit and diagnose failures in managed environments, see the Apple Support article Prepare your network environment for stricter security requirements.
For additional details on ATS and the new requirements, see Preventing Insecure Network Connections on the Apple Developer website.
Status reporting enhancements
Enrollment and device health
Monitoring the enrollment status of devices is a key component of device management. Currently, a device management service has to use mobile device management (MDM) queries, which introduce latency and server load without providing real-time accuracy.
On devices with iOS 27, iPadOS 27, macOS 27, tvOS 27, visionOS 27, and watchOS 27, new status items are available that provide proactive information about a device:
mdm.enrollment-type: This reports the enrollment type of the device, which can be:Supervised: For a supervised enrollment
Device: For Device Enrollment
User: For User Enrollment
mdm.is-awaiting-configuration: This is returned when the device is waiting in Setup Assistant for the device management service.mdm.is-return-to-service: This indicates whether a device is configured for Return to Service with app preservation.mdm.is-shared-ipad: This indicates whether an iPad is configured as Shared iPad.mdm.push-magicandmdm.push-token: These provide details related to the Apple Push Notification service (APNs) properties required for device management.device.system.health(iPhone and iPad only): This provides insights into the status and genuineness of hardware components like baseband, camera, Face ID, Touch ID, NFC, and Ultra-Wideband.
Lockdown Mode
Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. If such individuals are part of an organization, the IT team may want to ensure Lockdown Mode is turned on for their devices and monitor the status.
On supervised devices with iOS 27, iPadOS 27, macOS 27, and watchOS 27, device management services can subscribe to a new security.lockdown-mode status item that reports the Lockdown Mode status of a device proactively.
Web content filter plugin configuration
Content filtering is a common need in education and business environments. It allows IT teams to provide a managed browsing experience and block unwanted web pages. iOS, iPadOS, macOS, and visionOS offer frameworks that allow web content filtering solutions to integrate with the operating system and filter web traffic.
On devices with iOS 27, iPadOS 27, macOS 27, and visionOS 27, the necessary settings can be deployed using the com.apple.configuration.webcontent-filter.plugin configuration, which allows organizations to benefit from declarative device management capabilities in this management domain.
AppleCare log collection
Collecting log information from devices to support an AppleCare case is a common and important step to diagnose a certain behavior. Currently, it usually requires physical access to the device and user cooperation and is often a time-consuming and cumbersome process—specifically when users travel or are located in a different building.
On devices with iOS 27, iPadOS 27, macOS 27, and tvOS 27, IT teams can start—and cancel—log collection remotely on supervised devices using two new MDM commands:
TriggerEnhancedLogCollection: This initiates a remote log collection session and requires specification of a token provided by AppleCare. After the logs are created, they’re automatically uploaded to Apple and attached to the AppleCare ticket.CancelEnhancedLogCollection: This terminates an active session.
Note: An AppleCare Enterprise agreement is required to test this feature in beta releases. For more information, see AppleCare Professional Support.
Depending on the device and its status, the IT team can request an interactive or non-interactive token as part of an AppleCare ticket to authorize the log collection session on the device. Additional session details are as follows:
An interactive log collection session prompts the user for consent. The user can consent to the collection and upload immediately, choose to review the information before uploading, or cancel the log collection.
When using non-interactive log collection, the device displays a notification, and collects and uploads logs in the background.
Mac computers always use interactive log collection. iPhone and iPad devices require an interactive log collection if an account (for example App Store, iCloud, Mail, and so on) is configured or a passcode is set on the device. Apple TV and Shared iPad always use non-interactive log collection.
Additionally, information about the log collection is available in new declarative status items:
enhanced-logging.status: This shows whether a log collection has been started, finished, or canceled, whether the device is waiting for user consent, and if an upload is in progress.enhanced-logging.timestamp: This reports the timestamp of the last status change.enhanced-logging.applecare-token: This reports on the provided AppleCare token.
Backup restoration
On devices with iOS 27, iPadOS 27, and visionOS 27, devices no longer restore device management information from backup. This includes the enrollment profile, management configuration, and supervision status. Devices that appear in Apple School Manager or Apple Business automatically enroll through Automated Device Enrollment after the device restores, ensuring they receive current management state rather than a stale configuration from the backup.
If a managed app isn’t marked for removal upon unenrollment, its data is restored. Device management services can take over management of this data by installing the corresponding managed app after the restore.
Note: Due to this change, the do_not_use_profile_from_backup key in the device management enrollment profile in the Automated Device Enrollment profile doesn’t have an effect on devices with iOS 27, iPadOS 27, and visionOS 27.
Return to Service enhancements
The following are enhancements to the Return to Service feature.
Automatic enrollment retry
Currently, when a device receives the command to Return to Service, it resets, and tries to enroll in a specific device management service. In certain cases, for example, during transient network issues or when encountering device management service errors, enrollment can fail, leaving the device erased but unenrolled.
On iPhone and iPad devices with iOS 27 and iPadOS 27, a new ShouldRetryEnrollment key in the ReturnToService dictionary of the EraseDevice command is designed to help improve those situations. When this key is set to TRUE, the device automatically retries enrollment with an increasing time delay (up to five minutes) if the initial attempt fails.
Set language and region
On iPhone and iPad devices with iOS 27 and iPadOS 27, IT teams can set the device language and region in the Automated Device Enrollment profile. This provides additional flexibility during the Return to Service process as IT teams can set the desired locale on the device during a reset. Otherwise the previously selected choice gets applied. Language and region can be set with two new keys in the device management enrollment profile:
language: Defines the language to be set using the ISO 639-1 two-letter code.region: Defines the region to be set using the ISO 3166-1 two-letter code.
Initiate Return to Service
On iPhone and iPad devices with iOS 27 and iPadOS 27 configured for Return to Service with app preservation, there are new options to initiate the Return to Service process.
Users can either initiate Return to Service from the Control Center or IT teams can use the SharedDeviceConfiguration.TemporarySessionTimeout key in the Settings command to configure Return to Service to automatically launch after a set period of inactivity (in seconds).
When Return to Service is initiated from the Control Center, the device performs a ReturnToService check-in with the device management service to retrieve the necessary enrollment information. The information can also include the new ShouldRetryEnrollment key.
Software update enforcement
On devices with iOS 27, iPadOS 27, and visionOS 27, IT teams can enforce software updates on a supervised device when it receives a Return to Service erase command. The device management service needs to return a 403 response during enrollment which includes information about the operating system version required on the device. The device then automatically performs the software update and continues with Return to Service.
Wi-Fi Assist term change
On devices with iOS 27 and iPadOS 27, the term “Wi-Fi Assist” will change to “Connectivity Assist.” The device management WiFiAssistPolicy key in NetworkUsageRules.SIMRulesItem will NOT change.
Content caching configuration
Content caching is a service in macOS that speeds up downloading of software distributed by Apple and data that users store in iCloud by saving content that local Apple devices have already downloaded. The saved content is stored in a content cache on a Mac, and is available for other devices to retrieve without going out over the internet.
On a supervised Mac with macOS 27, IT teams can configure content caching using declarative device management. The new com.apple.configuration.content-cache.settings configuration features all keys previously available in the legacy profile.
Additionally, new declarative status items are available that are sent to a subscribing device management service:
content-cache.info: General information about the content cache, such as available and used storage space, status, and cache pressure.content-cache.status: More detailed information about the registration status, IP addresses, report status, and encountered errors.content-cache.parents: The list and status of parent content caches.content-cache.peers: The list and status of peer content caches.
Note: The content-cache.info status item is sent when the status changes and according to a defined DeclarativeStatusInterval interval if the interval is configured with a value greater than 0—including when the cache is inactive or not configured.
The Mac can also send information on a regular basis to an arbitrary HTTPS endpoint specified in the ManagementStatusTarget key, using the time interval defined by the ManagementReportingInterval key. This allows for custom monitoring solutions and dashboards, providing greater insights into how the content caching service is used.
To secure the connection to the receiving HTTP endpoint, the ManagementSecurityConfig offers three options:
no-cert: No validation of the TLS certificate of the server (this also allows for plain HTTP requests, for example, for testing purposes).signedByCACert: The server certificate is validated against a CA trusted by the device.specificServerCert: The service certificate needs to match the server certificate provided in theManagementStatusCertificateReferenceasset.
The content cache sends the current cache status as JSON formatted text using an HTTPS POST request and includes a serverGUID, which can be used to attribute multiple requests to the same server.
Important: With the introduction of the new com.apple.configuration.content-cache.settings configuration, the com.apple.AssetCache.managed profile is deprecated in macOS 27.
For more information about the format, see the declaration to configure the content caching service on the Apple Developer website.
New visionOS restrictions
On devices with visionOS 27, IT teams get additional control over supervised Apple Vision Pro devices with new restrictions:
allowBluetoothModification: Prevents users from modifying Bluetooth settings.allowChat: Restricts the use of iMessage.
IT teams can also use allowListedAppBundleIDs and blockedAppBundleIDs, but should start transitioning to declarative management for launching apps. Both restrictions are deprecated in visionOS 27.
Intelligence, Siri, and keyboard management
Apple is modernizing the management of intelligent systems available on-device by moving capabilities from legacy MDM restrictions payloads to declarative device management configurations. This migration provides clearer policy intent, increased flexibility when to apply the configurations, and a streamlined path to locate management capabilities. The following settings are available through modern declarative configuration:
Apple Intelligence
External intelligence
Siri
Keyboard
Important: Keys in the MDM restrictions payload to manage Apple Intelligence, Siri, and keyboard settings were deprecated in iOS 26.4, iPadOS 26.4, macOS 26.4, visionOS 26.4, and watchOS 26.4.
Apple Intelligence settings
On supervised devices with iOS 26.4, iPadOS 26.4, macOS 26.4, visionOS 26.4, or later, IT teams can use the com.apple.configuration.intelligence.settings configuration to allow or deny device-wide Apple Intelligence features including:
AllowGenmoji: GenmojiAllowImagePlayground: Image PlaygroundAllowWritingTools: Writing ToolsAllowImageWand: Image Wand (iOS, iPadOS, visionOS)
In addition to these device-wide settings, IT teams can also control:
App-specific intelligence capabilities for Mail, Notes, and Safari
Apple Intelligence Report
Personalized Handwriting Results (iOS, iPadOS only)
Visual Intelligence Summary (iOS, iPadOS only)
On-device only processing for dictation and for translation (iOS, iPadOS only)
On supervised devices with iOS 27, iPadOS 27, macOS 27, and visionOS 27, a new Apps.Calendar.AllowNaturalLanguageEditing key in the com.apple.configuration.intelligence.settings configuration controls whether a user can create calendar events using natural language input when the key is set to FALSE.
External intelligence settings
On supervised devices with iOS 26.4, iPadOS 26.4, macOS 26.4, visionOS 26.4, or later, organizations can manage external intelligence integrations using the com.apple.configuration.external-intelligence.settings configuration. This allows IT teams to permit or restrict external intelligence services and control sign-in access for these services.
Enforcement limitations in initial 27.0 operating system seeds are documented in Known Issues in their respective seed notes on AppleSeed for IT.
Additional management for Siri AI and Visual Intelligence will be available in future beta releases.
Siri settings
On supervised devices with iOS 26.4, iPadOS 26.4, macOS 26.4, visionOS 26.4, watchOS 26.4, or later, and tvOS 27, IT teams can use the com.apple.configuration.siri.settings configuration to manage the following:
Allow or deny Siri globally (iOS, iPadOS, macOS, tvOS, visionOS)
Control Siri access when the device is locked (iOS, iPadOS, watchOS)
Allow or deny Siri user-generated content processing (iOS, iPadOS, watchOS)
Enforce profanity filtering for Siri responses (iOS, iPadOS, macOS)
Keyboard settings
On supervised devices with iOS 26.4, iPadOS 26.4, macOS 26.4, or later, IT teams can use the com.apple.configuration.keyboard.settings configuration to manage the following:
Dictation
Definition lookup
Math keyboard suggestions
Predictive text (iOS, iPadOS only)
Slide to type (iOS, iPadOS only)
Text replacement shortcuts (iOS, iPadOS only)
Text correction: auto-correction, spell check (iOS, iPadOS only)
File Provider management
On a Mac with macOS 26.4 or later, organizations gain additional control over File Provider extensions. They can define which volumes File Provider extensions can access and how they synchronize data. This extends the existing option to define how File Provider extensions can synchronize data from the user’s Desktop and Documents folders.
These features allow organizations using enterprise file management solutions more granular control while maintaining security boundaries around data volumes.
Using the com.apple.fileproviderd payload, IT teams can:
Allow or deny data synchronization in general for File Provider extensions.
Note: Turning off synchronization also turns off synchronization of data from Desktop and Documents.
Define whether File Provider extensions can sync to locations on encrypted APFS-formatted external storage.
Individually restrict syncing and external syncing to File Provider extensions within approved apps only.
Choose which apps have their File Provider extension enabled by default.
Managed Migration Assistant
On a Mac with macOS 26.4 or later, Managed Migration Assistant streamlines Mac-to-Mac data migration during Setup Assistant, giving organizations control over what data transfers to a new Mac without relying on users to make those decisions.
Migration Assistant selects the best transport option for migration based on speed. Options include peer-to-peer Wi-Fi, infrastructure Wi-Fi, Ethernet, or Thunderbolt. Migration Assistant also frequently checks to see if a faster option becomes available during migration.
IT teams can customize and streamline the migration experience by specifying:
RequiredPaths: Which subfolders and files inside the user’s Home folder are required to migrate.ExcludedPaths: Which subfolders and files are excluded.ExcludedAccounts: What user accounts aren’t offered for migration.ShouldMigrateSecurityPrivacySettings: Whether system-level privacy settings are migrated.
For more information, see Managed Migration Assistant for macOS.
Software update command removal
Announced last year, legacy software update management no longer functions in all 27.0 operating systems. This includes:
Software update commands
Software update queries
Recommended cadence settings
Software update restrictions, like deferrals and Background Security Improvements
IT teams should use declarative software update management to configure and enforce updates on devices with increased user transparency and more control.
For more information, see the Device Management documentation on the Apple Developer website.