The changes delivered by Apple operating system updates are eagerly awaited each year, and not just by users. They are often accompanied by some new features within a professional context. And this is also the case in 2022: The updates officially rolled out in the fall contribute to increased security and an improved user experience, offering a range of new options for administrators.
We will introduce you to the 10 key changes that may be of interest for your company.
It is now easy to register Macs, as well as iPhones and iPads, which have not been purchased from an official reseller.
In the future, it will be possible to add Macs, iPhones and iPads to the Apple Business Manager or Apple School Manager by using the “Apple Configurator for iPhone” app. This is particularly interesting for companies that do not use many Macs, or which are located in areas with few official resellers.
Applications can be distributed to iPhones and tablets during setup.
Previously, apps were only installed after the device had been activated and registered. This led to a gap between accessing a functional device and that device being ready to operate. It will now be possible to close this gap: iOS 16 and iPadOS 16 make it possible to install apps during setup – in the status “AwaitDeviceConfigured”. Activation does then take a little longer. However, as soon as it has been completed, employees enjoy direct access to a device that is ready to go – including all apps. The device is “ready to work” directly.
Minor OS updates can be provided with a Priority tag.
It will be possible to use a new command to trigger a Priority installation for an operating system update on a device via UEM system – even when this is in power-saving mode. The Priority tag means that the update is treated as if it had been triggered by an actual user and will be installed directly.
Security updates can be installed without affecting the operating system version of the device.
Previously, a complete update of the operating system was required for all types of update. Activating automatic updates was therefore not recommended, as extensive testing was required before rollout to avoid severe problems. There was a risk of installing updates too late, leaving the entire device fleet unprotected. The new “Rapid Security Response” function allows for the provision of security updates without changing the firmware on the device. This means that they can be installed automatically, and much more quickly. Other updates can, and should, be tested as normal before provision.
5) Google Workspace is supported by Apple Business Manager.
Previously, the Apple Business Manager only supported Microsoft Azure Active Directory. Google Workspace is now being added to this. Previously, the Apple Business Manager only supported Microsoft Azure Active Directory. Google Workspace is now being added to this. In future, employees of companies that use Google Workspace as an identity provider will be able to use their credentials as a managed Apple ID.
OAuth 2 can be used for authorization on iPhones and tablets.
OAuth 2 is available as an authorization mechanism for iOS 16 and iPadOS 16. This allows Unified Endpoint Management systems to also use additional identity providers for employee identification. This improves security and user-friendliness, as users are not forced to repeatedly enter their credentials.
It is easier to register private devices in a UEM system, and for these to gain access to corporate apps and websites.
The “Enrollment Single Sign-On” function enables the simple registration of private devices in a UEM system. With a single authentication, they also receive access to corporate websites and applications. Employees can register their own devices by logging in with a managed Apple ID and downloading a registration app. Containing the “Enrollment Single Sign-On” extension and an authentication interface, the app takes over the rest of the process.
All services for which authentication takes place using the company’s identity provider can be accessed using true Single Sign-On.
Apple is introducing the “Platform Single Sign-On” to improve the Single Sign-On experience. This means that employees must only login once with their local password to unlock a device. Thereafter, they automatically enjoy access to all corporate information and applications for which the company’s identity provider is used for authentication.
For all devices, it is possible to ensure that a device attempting to connect to corporate resources really is the device that it claims to be.
Previously, the effectiveness of distribution of device-specific certificates used for authentication differed, depending on the Apple device and the operating system. For macOS devices, installation of the same certificate including private key in the keychain of the operating system was required, giving admins the opportunity to get past the certificate copy restriction. The new “Device Attestation” function can now be used to guarantee that the device requesting access really is the managed device for which access is to be granted. To do so, the secure enclave of the device generates a corresponding certificate.
New restriction options under macOS hamper attacks via USB and Thunderbolt.
Accessories that are connected to a laptop via USB or Thunderbolt increasingly pose a risk, as malware can reach the device via manipulated cables or data carriers. A new security function for macOS devices ensures that communication from the new USB and Thunderbolt accessories with the operating system is blocked as standard, until the component is approved by the user. Approval can only be granted once the device is unlocked. Attacks featuring criminals attempting to connect a defective USB stick to a locked Mac will therefore no longer be successful. However, the function is less useful if a user finds a USB stick and connects this to the Mac. Raising awareness remains the key security precaution in this case.
- The information is based on publicly available information from the Apple website, and publicly available third-party sources. You can find the latest updates at https://developer.apple.com/enterprise/. If you have a developer account, you can find further details in the corporate resources.
- Beta versions for developers and public Beta versions have already been published. The official release is scheduled for this fall.
- It remains to be seen how and when the UEM producers will integrate the various new options into their systems. We will keep you up to date.