While we’ve already focused on how new features in Apple’s latest operating system upgrades can help you get work done on an iPhone and on a Mac, under-the-hood enhancements for enterprise IT also made the cut. Here’s a rundown on what was introduced.
Apple’s changes for enterprise and education deployments lean toward declarative device management (DDM) as the company continues to navigate away from MDM profiles. They also include security tweaks to manage newly-introduced features such as iPhone Mirroring on Mac.
The latter is interesting in its own right, as it means IT can prevent managed iPhones from being mirrored on any Mac, and any Mac can also be prevented from mirroring any iPhone. That makes sense, as it puts a barrier in place against abuse of that feature.
On the good ship DDM
Apple has flagged its move toward Declarative Device Management (DDM) since it first introduced support for this way of managing devices in 2021. This was originally only available to user-enrolled iOS devices, then Macs joined in. It is now supported across all the company’s products, including the Apple Watch and Apple TV. In 2022, Apple told us explicitly at WWDC that DDM will eventually supersede its own older MDM framework.
The beauty of DDM is that it allows IT to specify a desired state for devices. That means devices that do not occupy that “state” won’t get access, and the device doesn’t require continuous prompts from an MDM server.
Admins recognize that this makes for faster onboarding, better update management, improved device monitoring, better security and reduced network bandwidth usage. For most users, it just makes for a far nicer experience, bringing the convenience of consumer grade simplicity to managed enterprise devices. Everyone in the Apple MDM ecosystem I speak with has told me that DDM is the future for managed devices.
Michael Covington, Jamf vice president for portfolio strategy, last year noted the importance of this move. Pointing to DDM improvements at the time, he said: “Of course, the big announcement for those IT professionals responsible for managing devices is Apple’s improvements to Declarative Device Management. The new Software Update workflows demonstrate Apple’s commitment to iterating on the enhanced protocol….”
In this year’s biggest move toward that future, Apple’s new operating system software updates can now be managed entirely using DDM, replacing MDM profiles for software update restrictions, settings, and software update commands and queries.
A short summary of improvements for Apple admins
Of course, DDM is only one facet of device management, and while there are some unique differences between Mac and i-device platforms, Apple peppered the releases with new device management features:
- MDM can manage which Safari extensions are allowed, always on or always off, and what websites they can access.
- On supervised devices, organizations can disable a user’s ability to hide and lock apps.
- IT can prevent VPN settings from being modified by apps.
- A new MDM restriction can prevent the removal of an eSIM.
- New features in Calculator, such as Math Notes, Math Notes keyboard, scientific mode, and unit conversions can be managed in MDM. (This tool is aimed at education IT.)
- On a Mac, a new disk management configuration can be used to choose whether external or network storage is allowed or disallowed, or limit mounting to read-only volumes.
- Also on a Mac, MDM can configure hardware MAC address instead of a private MAC address on managed Wi-Fi networks. MDM can also prevent system extensions from being disabled in Settings.
- iPads gain an iPhone tool; IT can now use MDM to manage alternative marketplaces in regions in which those are supported.
- visionOS 2 now supports Automated Device Enrolment in MDM
For the most part, Apple’s enterprise improvements seem designed to give IT additional power to harden security across managed devices while also working to prevent data leaks. Companies in which security policy is attenuated also benefit from a small but noteworthy improvement in which users with complex passwords no longer need to lock and unlock the device to see the keyboard.
Apple’s complete lists
There are other features and tools listed across Apple’s documents detailing the enterprise-focused content in the latest OS upgrades. Apple’s pages detailing these improvements are here:
What’s new for enterprise in macOS Sequoia
What’s new for enterprise in iPadOS 18
What’s new for enterprise in iOS 18
What’s new for enterprise in visionOS 2
While many of the changes described above may be of less interest to most users, they will be of huge significance to the ever-growing cadre of Apple admins who are seizing seats across the enterprise as the company’s market share across that sector continues to grow. Apple is in business, from the world’s biggest firms to SMBs, and its continued focus on empowering MDM teams to support that proliferation now seems to run deep. Apple knows that, unlike the main enterprise tech incumbent, its products aren’t renowned for causing business disasters. It knows it has a story to tell, and for many in business in a world after the Crowdstrike mess, it also knows it offers a viable and robust alternative.
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
