What’s new in Apple platform deployment
Deployment and mobile device management (MDM) introduce new features for iPhone, iPad, Mac, Apple TV, Apple Watch, and Apple Vision Pro devices. These updates include the following operating systems:
iOS 18.0
iPadOS 18.0
macOS 15.0
tvOS 18.0
watchOS 11.0
visionOS 2.0
Note: This isn’t a full comprehensive list of all new and changed content in Apple Platform Deployment. For a more complete list, see the document revision history.
For more information, see the WWDC24 video What’s new in device management.
Automated Device Enrollment for Apple Vision Pro
In visionOS 2.0, organizations can onboard Apple Vision Pro devices using Automated Device Enrollment to automate MDM enrollment, supervise devices during activation and simplify initial device setup.
Apple Vision Pro devices can also be enrolled using Account-driven Device Enrollment and Account-driven User Enrollment using visionOS 1.1 or later. Account-driven Device Enrollment and Account-driven User Enrollment lets organizations cryptographically separate organizational data from personal data.
Software update process
Software updates on iPhone, iPad, and Mac devices can now be managed entirely with declarative device management, replacing the MDM profiles for software update restrictions, settings, and software update commands and queries. The result is more resilient management of the software update process and increased user transparency.
In iOS 18, iPadOS 18, and macOS 15, the com.apple.configuration.softwareupdate.settings
configuration can be used on iPhone, iPad, and Mac devices to configure the following:
Automatic software update behavior
Rapid Security Response behavior
Deferral of software updates (1–90 days)
Whether local administrator authorization is required to perform an update for macOS
The default notification behavior when enforcing software updates
The visibility (recommended cadence) of software upgrades (iOS and iPadOS only)
For more information, see:
Software update release dates
The latest software update release dates have been added.
For more information, see Software release dates.
Beta software management
When managing installs of beta software, organizations can now do the following:
Remotely enroll devices into different beta programs and—combined with the option to defer beta and production updates and upgrades—implement a phased testing and a rollout approach beginning with the initial beta software upgrade.
Enforce, restrict, and defer beta versions provided by these programs on supervised devices (similar to software updates).
Provide status reports for increased visibility and allow organizations to track beta program enrollments on managed devices.
Add devices to a beta program using an organization token. The user doesn’t need to sign in to Settings or System Settings with any (personal or Managed) Apple Account. This removes the need for steps to be manually performed by the user and allows for a streamlined process throughout the beta testing lifecycle. The process varies by operating system:
Add devices during Setup Assistant when using Automated Device Enrollment. (iOS 17.5, iPadOS 17.5, and macOS 14.5 or later).
Add devices using the com.apple.configuration.softwareupdate.settings configuration (iOS 18 beta, iPadOS 18 beta).
For more information, see Testing software updates with the AppleSeed for IT beta program.
New hardware requirements for Managed Device Attestation
Attestation hardware requirements have been updated.
For more information, see Supported hardware for Managed Device Attestation.
eSIM updates
In iOS 18 and iPadOS 18, the allowESIMOutgoingTransfers
can be used to control whether eSIM can be transferred to a newly setup device.
For more information, see About the allowESIMOutgoingTransfers restriction.
Multiple Cellular Private Network payloads
In iOS 18 and iPadOS 18, multiple Private Cellular Network payloads are supported, allowing configuration for up to five private 5G or LTE networks. Because the payload defines a geofence for each network, the appropriate eSIM can be automatically turned on or off as the user moves in and out of private network coverage.
For more information, see MDM with private cellular networks.
Safari extensions management
Safari extensions enhance and customize the web browsing experience on iPhone, iPad, and Mac. In iOS 18, iPadOS 18, and macOS 15, organizations can now use MDM solutions to manage how Safari extensions are used on supervised devices. For example, a business may want specific extensions installed and turned on to provide access to internal services, or an educational institution may want to prevent students from using extensions that provide information that goes against school policy. These extension management features work for standard browsing and Private Browsing and include:
Defining which extensions are allowed
Controlling which extensions are always on or always off
Configuring an extension to access websites by specific domains and subdomains
For more information, see Safari extensions management declarative configuration.
Apps and books for organizations API
MDM developers can now use their developer account to configure Services IDs, and authorization keys for the Apps and Books for Organizations API, to retrieve information about apps and books they manage. Other changes include:
New fields that indicate whether an app is compatible with visionOS
A new endpoint for searching the App Store
For more information, see Configure the Apps and Books for Organizations API on the Apple developer website.
Provisioning and managing users for proprietary in-house app developers
Proprietary in-house (enterprise) app developers will have access to Apple APIs for provisioning and managing users, allowing them to automate tasks such as provisioning profile generation and integrating user management into existing workflows.
For more information, see Enterprise Program API on the Apple developer website.
Security improvements for setting up push notifications for MDM customers
MDM developers can currently use the Apple Push Notification service (APNs) to create a streamlined push-certificate-creation process for their customers. This involves creating and signing a Certificate Signing Request (CSR) for each customer. Then, each customer can use the provided CSR to obtain a certificate from the Apple Push Certificates portal.
Later this year, the Apple Push Certificates portal will require CSRs to be signed with the SHA2 algorithm for better security. Certificates won’t be issued for CSRs signed with SHA1. For more information on best practices, see Setting Up Push Notifications on the Apple developer website.
Device management for Math Notes, Smart Script, Image Playground, and Writing Tools
Apple will be providing device management (MDM) and Assessment Mode (AAC) controls for Math Notes, Smart Script, Image Playground, and Writing Tools.
For more information, see Math and Calculator app settings configuration.
Organizations can also learn more about how Apple Intelligence features like Writing Tools and Image Playground leverage Private Cloud Compute. For more information, see Private Cloud Compute: A new frontier for AI privacy in the cloud on the Apple Security Research website.
Passkey and hardware security key support during enrollment
In macOS 15, Setup Assistant supports ASWebAuthenticationSession
, allowing support for passkeys and supported hardware security keys during enrollment.
Extensible Single Sign-on Kerberos payload
The following are new keys for the Extensible Single Sign-on Kerberos payload:
To allow switching to the password mode:
allowPassword
To allow switching to the SmartCard mode:
allowSmartCard
To filter the list of available SmartCards:
identityIssuerAutoSelectFilter
To start the Kerberos extension in SmartCard mode:
startInSmartCardMode
Platform Single Sign-on
To support highly secure macOS deployments that require authentication with the IdP, Platform Single Sign-on (Platform SSO) in macOS 15 is extended to:
Require IdP authentication across FileVault, the Lock Screen, and the login window, using a new policy option,
RequireAuthentication
Optionally configure Touch ID or Apple Watch to unlock the screen for ease of use when
RequireAuthentication
is enabledConfigure offline and authentication grace period, so that users can log in or unlock the screen when they’re offline
External and network storage access
In macOS 15, to help organizations manage how their data can be transferred off the device, they can now use the new disk management configuration to either choose whether external or network storage is allowed or disallowed, or limit mounting to read-only volumes.
This configuration replaces the deprecated media management payload. For more information, see Storage management declarative configuration.
Background task management
macOS includes support for background tasks that either start on behalf of the user or run as a standalone process to provide persistent services in the background.
In macOS 15, executables, scripts, and launchd configuration files can be installed using MDM and are stored in a secure and tamper-resistant location (similar to service configuration files introduced last year), providing an easy way for organizations to deploy and control managed services.
Local network access for macOS
In macOS 15, a third-party app or launch agent that wants to interact with devices on a user’s local network must ask for permission the first time that it tries to browse the local network.
Similar to iOS and iPad OS, users can now go to System Settings > Privacy > Local Network to allow or deny this access, giving users control over their privacy.
macOS virtual machine updates
On a virtual machine running macOS 15, users can to the following:
Sign in to iCloud (using a personal Apple Account) after their account has already signed in on a physical Apple device. This allows users to access iCloud services and apps associated with iCloud on the virtual machine.
Use Erase All Contents and Settings.
Setup Assistant updates
The following options (already available in iOS and iPadOS) can now also be used in macOS 15 for a seamless setup experience:
Welcome
as part of Skip Keys for Automated Device EnrollmentSkipSetupItems
in the Setup Assistant profile payload
System Settings update
In macOS 15, the Profiles section of System Settings has been renamed Device Management and now appears in the General section. This change aligns Mac more closely with iOS and iPadOS.
Hiding and locking apps
iOS 18 and iPadOS 18 introduce new options that allow users to require Face ID, Touch ID, or a passcode to open an app, and to hide it from the Home Screen. MDM can manage the availability of these options by:
Controlling a user’s ability to hide and lock Managed Apps on a per-app basis
Disabling hiding and locking all apps on supervised devices
For devices enrolled with User Enrollment, hidden apps are reported to MDM only if they are managed. For devices enrolled with Device Enrollment, hidden apps are reported to MDM as part of all installed apps.
In-house app installations
In iOS 18 and iPadOS 18, Proprietary in-house apps manually installed (not using MDM) now require a device restart to complete the trust of the provisioning profile. Before, installed apps signed by the same provisioning profile didn’t require a restart and were automatically trusted.
Return to Service
Return to Service allows the process of resetting and reenrolling Apple TV devices in MDM to be fully automated over wireless network. In tvOS 18, when the MDM solution sends the command to erase a managed device, it must provide the Wi-Fi details and define which MDM solution to enroll the device in.
If the device appears in Apple Business Manager or Apple School Manager, the MDM server configuration can be omitted. This triggers the device to check for an enrollment profile during activation. The device then erases all data and automatically proceeds through Setup Assistant using the previous language and region settings until it reaches the Home Screen, ready to be used.
AirPlay receiver identification
In tvOS 18, AirPlay receivers no longer advertise their device ID (MAC address). The RequestMirror
command can use either a device name or a device ID, but only the device name works with Apple TV devices running tvOS 18. Other changes to the AirPlay payload include the following:
The list of allowed device IDs—known as the allow list—can now accept device names.
In macOS 15, the passwords list links passwords to a device name. This feature is already available in iOS and iPadOS.
Configuration management updates
In visionOS 2.0, organizations can configure Enrollment SSO, configurations such as device lock, Activation Lock, passcode management and more, making it easier to deploy in an organization. For more information, see the Apple device management GitHub repository.
For a full list of payloads, restrictions, commands, and declarative configurations supported for visionOS 1.1 or later, see the following:
Multiapp Assessment Mode for iPad
In iPadOS 17.6 or later, developers can take advantage of additional apps alongside their primary assessment app—for example, accessibility apps and apps that may use calculators, notes, and spreadsheets.
Schoolwork 3.0
In iPadOS 17.5 or later with Schoolwork 3.0, teachers can:
Send any document or file as a Classroom assessment, including PDFs and files created from Pages, Numbers, Keynote, and Google Suite (docs, sheets, slides)
Upload documents from iCloud and scan paper documents directly into Schoolwork
Review and score student work and documents using scoring features
Analyze student performance per question, which includes other reporting and insight features
Unmanaged nearby classes in the Classroom app
In iPadOS 17.4 and macOS 14.4, or later, this feature allows instructors with Managed Apple Accounts to create and use unmanaged nearby classes in Classroom (instead of Apple School Manager classes).