What’s new in Apple platform deployment
Deployment and mobile device management (MDM) introduce new features for iPhone, iPad, Mac, Apple TV, and Apple Watch devices. These updates include the following operating systems:
Note: This isn’t a full comprehensive list of all new content in Apple Platform Deployment. For a more complete list, see the document revision history.
For more information, see the WWDC23 video What’s new in managing Apple devices.
Account-driven Device Enrollment
Account-driven Device Enrollment will make it easier for users to enroll their organization-owned iPhone, iPad, and Mac devices into management using their work account. The resulting enrollment is similar to profile-based Device Enrollment, but separates work and personal content. In macOS, it also enables supervision.
For more information, see Account-driven Device Enrollment.
Enforcing requirements and features during device setup
To help ensure that device requirements are met before an iPhone, iPad, or Mac is put into production, organizations using Automated Device Enrollment make sure those devices have the required minimum operating system, even before enrollment. In macOS, organizations can also enforce FileVault in Setup Assistant and require a user to enroll the Mac into device management when it’s registered in Apple School Manager, Apple Business Manager, or Apple Business Essentials.
For more information, see Enforcing a minimum version of iOS, iPadOS, and macOS, Enforcing Automated Device Enrollment, and Enforcing FileVault in Setup Assistant.
Apple Watch deployment
An Apple Watch running watchOS 10 can be enrolled into and managed by MDM to support use cases that improve productivity, support wellness, and provide additional safety to users. To enroll an Apple Watch, you must have a declarative configuration on the paired iPhone and allow the use of configuration profiles, app management, MDM commands, and declarations.
For more information, see Apple Watch deployment.
Passcode payload and declarative configuration update
To support more complex requirements, the passcode payload and declaration let you specify a password policy as a regular expression in macOS. Passcode compliance handling has also changed: When new or changed password requirements are applied without a user being logged in, compliance is verified during the next user login. If the user is logged in and the requirements appear to be as strict as the previous ones, the user is asked to verify their password compliance and, if necessary, update their password.
Platform SSO updates for macOS
With additions to Platform Single Sign-on (Platform SSO), developers can extend their SSO extension to create local user accounts on a shared Mac using credentials from an organization’s identity provider (IdP). In addition, permissions and group membership of those users can be managed with MDM. This also extends to users managed by the IdP who don’t have a local account for use at authorization prompts.
For more information, see Platform Single Sign-on for macOS.
Managed Device Attestation for macOS 14
Managed Device Attestation, available in macOS 14, provides strong assurances about the security posture and properties of a device.
For more information, see Managed Device Attestation.
802.1X for Ethernet on iPhone, iPad, and Apple TV
iPhone, iPad, and Apple TV support the configuration of 802.1X for Ethernet to connect to restricted networks that require authentication.
For more information, see Connect Apple devices to 802.1X networks.
5G Network Slicing
5G Network Slicing allows mobile network operators to customize traffic through a 5G standalone network with specific quality of service requirements for network latency, throughput, and packet loss.
For more information, see Apple device support for private 5G and LTE networks.
A new built-in relay can be used to secure traffic using an HTTP/3 or HTTP/2 tunnel as an alternative to VPN. The configuration is domain based and can be applied to Managed Apps, domains, or the entire device.