Overview
Another year and another WWDC has concluded. Apple has announced the features of their Fall 2019 lineup starting with iOS 13, macOS Catalina 10.15, tvOS 13, and the new iPadOS 13. The Workspace ONE team is already hard at work preparing for these releases and this page will be your hub for everything to know and triple check prior to their general availability this fall. This page will be focused on enterprise impacting updates and any Workspace ONE changes expected to support them. Please subscribe to this article in order to receive notifications as we update it. For general WWDC updates, please see visit Apple’s developer site here.
22-Jul-19 Update: This Fall Apple will be migrating the mdmenrollment.apple.com URL to a new networking infrastructure. This migration will result in a change of IP resolution for mdmenrollment.apple.com to a broader range of IP addresses. In order to make sure there are no connectivity issues to mdmenrollment.apple.com, please verify connectivity from your Workspace ONE device services and console servers to the below IP ranges in addition to the current ACLs:
- 17.248.128.0/17
- 17.248.192.0/19
- 2620:149:a40::/46
- 2a01:b740:a41::/48
- 2403:300:a41::/48
- 2403:300:a50::/48
General Information and Beta Testing
June 3rd was the official release date for all developer betas for Apple’s major OS updates and apps like Xcode 11 and Apple Configurator 2.10 with public betas coming later this summer. It is highly encouraged to download these betas and upgrade your test devices and ensure compatibility with your Workspace ONE UEM environment. The Workspace ONE platform and application teams have already begun our efforts to ensure compatibility with the new updates. Any issues found will be released as part of the Known and Resolved Issues section of this page.
iPadOS
One of the biggest changes to iOS was not iOS at all, but a spin off platform specifically for iPads called fittingly iPadOS. Once the updates are public, iPads will upgrade to iPadOS 13 with iPhones and iPods remaining on iOS 13. So far, there does not seem to be any impact in managing these devices differently than iOS. Even the device information queries report the devices as an iOS 13 device.
Because managing iPadOS 13 devices is no different than iOS 13 devices, Workspace ONE UEM has no current plans to display or manage these devices any differently than they are today. This means admins will not need to take any action to support iPadOS 13 devices uniquely. iPads and iPhones/iPods can still be differentiated by using the hardware model received from the Apple devices.
The one impacts announced by Apple is the user-agent reported by Safari on these devices will not be a reliable hardware indicator for developers because it will report as Mac. Workspace ONE UEM currently uses this value to show the appropriate web pages for mobile vs desktop devices. Today in Safari, if someone tries to navigate to the hostname of an environment (e.g. “https://example.com“), they will be prompted to web enroll on an iPad or iPhone but on a Mac will see a UEM console login view.
To always see the web enrollment view, append “/enroll” to the end of the URL (e.g. “https://example.com/enroll”).
Along those same lines, if a user navigates to getworkspaceone.com, they will be prompted to install the .dmg (Mac app) file of Workspace ONE Intelligent Hub instead of being directed to the iOS App Store as expected in previous versions.
User Enrollment
The largest update for iOS, iPadOS, and macOS in the enterprise was the announcement of the Apple coined “User Enrollment”. This new enrollment method lets admins provide resources to users, rather than devices, by specifying a Managed Apple ID for each user during the enrollment process (more to come on Managed Apple IDs below). The device creates a separate managed identity and data partition on the device while still allowing a user to maintain a personal Apple ID simultaneously. Instead of being prompted with vague, privacy threatening messaging, users are given a single view to accept the terms and enter their Managed Apple ID and password (see below).
This new management mode allows admins a subset of management functionality. While the granular list is still yet to be uncovered, certain actions are known for sure:
| Allowed in User Enrollment | Not Allowed in User Enrollment |
|---|---|
|
|
Updated 19-Aug-2019: NEW Coming soon to Workspace ONE UEM!
Managed Apple IDs
Managed Apple IDs have been around for several years in Apple School Manager (ASM) for admins to create accounts on behalf of students. Recently this spring, Apple announced the option to federate these accounts and create them through integrating a schools Microsoft Azure Active directory. This fall both these capabilities will be coming to Apple Business Manager (ABM) as well. These Managed Apple IDs can be used to configure the User Enrollment mentioned above.
Custom Screens in Automated Enrollment (Devices in ABM)
Since its release, devices added to DEP, now ABM, had a rigid enrollment process allowing for little customization for the end-user authentication experience. Apple has now announced a major enhancement to this by allowing MDMs to provide a web page URL to display during the enrollment process prior to reaching the Setup Assistant screens. With no limitations on this web page, MDM providers can display any options they wish such as custom terms of use, redirection to a modern auth provider, two factor auth, and anything else.
Single Sign-On Extension
Apple has added a new Single Sign-On Extension, configurable via profile, to allow admins the ability to specify apps and websites that can leverage the new extension when performing specific authentications. The purpose of this is so app developers no longer need to support several different auth methods (e.g. OAuth, SAML, or Kerberos) in their app and can instead leverage this extension. Enterprises can configure this extension with their preferred authentication for all Apple platforms, but app developers need to add corresponding support in their apps. This will work for different authentication workflows like redirecting to retrieving token or credential challenges.
iOS 13
New iOS 13 features included in both iOS and iPadOS bring updates to existing commands and profile payloads as well as newly announced options.
This year the Workspace ONE team will be publishing the custom XMLs for each new payload and command on our GitHub page for easier access. Follow this page for more information once they are published.
Dynamic Compromised Detection
Dynamic Compromised Detection is a new feature which allows SDK applications to securely update the compromised detection algorithm over-the-air. This will allow for a faster turnaround when false positive issues are found. Customers and developers with apps using these new SDK versions which support dynamic compromised detection will no longer have to update and/or re-release their apps. It is recommended to ensure your users are on the minimum supported version especially for Dynamic Compromised Detection.
Note: The Workspace ONE team has already found an issue in iOS 13 beta 1 giving false positives for compromised detection. We hope to have this resolved as soon as possible.
Certificate validation has been seen to fail if the DNS attribute is not included in the Subject Alternative Name (SAN) of an SSL certificate even if it is mentioned in the Subject Name. Customers that are using self-signed SSL certificates for their environments may be affected. See Apple’s support link for more info.
| Application | iOS 13 Supported Version | iPadOS 13 Supported Version | Dynamic Compromised Detection Support |
|---|---|---|---|
| Workspace ONE Boxer | 5.4.1 | ||
| Workspace ONE Content | 4.17.1 | ||
| Workspace ONE Intelligent Hub | 19.03 | ||
| Workspace ONE Notebook | TBD | ||
| Workspace ONE PIV D Manager | 1.4.1 | ||
| Workspace ONE SDK Objective C | 5.9.9 | ||
| Workspace ONE SDK Swift | 19.2 | ||
| Workspace ONE Send | N/A | ||
| Workspace ONE Tunnel | N/A | ||
| Workspace ONE Web | 7.4 | ||
| Workspace ONE App | 3.3.5 |
Exchange
Exchange accounts configured by MDM can now specify which services to enable for the account including Mail, Contacts, Calendar, Notes, and Reminders.
Note: This feature is now available for testing in CN135, CN137, and CN138.
Restrictions
Several existing restrictions are transitioning to supervised devices only for iOS 13. It is important to note that these restrictions will continue to function on unsupervised devices upgrading to iOS 13 that already have these restrictions set. However, if the restrictions are removed or updated, they will cease to take effect. In addition, these existing restriction profiles will not take effect on newly enrolled iOS 13 devices. These are the restrictions changing to supervised only:
- iTunes
- Safari
- Camera
- FaceTime
- Explicit content
- iCloud backup
- iCloud document synchronization
- iCloud Keychain synchronization
- Adding Game Center friends
- Multiplayer gaming in Game Center
Apple also released new restrictions for additional control. They are all for supervised devices only.
- Prevent Find My Friends
- Prevent Find My iPhone
- Prevent QuickPath keyboard (new in iOS 13)
- Modify whether Wi-Fi is on or off
Note: The feature above are available for testing in CN135, CN137, and CN138. - Prevent USB Drive access
Note: This feature is not yet available for testing.
Other Payloads
The table below outlines updates to existing payloads starting in iOS 13.
| Payload | Update |
|---|---|
| Single App Mode | Voice Control and use of the keyboard will be added to the list of features that can be configured in Single App Mode. |
| Wi-Fi | WPA3 will be added to the list of encryption types and allow both personal and enterprise-level authentication |
| Network | App rules are no longer required and rules for SIMs will be added |
| Network Usage Rules | Ed25519WPA3 will be added to the list of certificate types. |
| Per-app VPN | Per-app VPN will support and specify domains from mail, calendar, and contacts |
| VPN | Three new values can be used for this payload:
|
| IKEv2 | Four values can be added for this payload:
|
Note: The Wi-Fi and Network features above are available for testing in CN135, CN137, and CN138.
Commands
Like payloads, updates and net new commands are available for iOS 13 also. Below are the details for each.
| Command | Update |
|---|---|
| Refresh eSIM plans for iPad* | Allows for eSIM plans to be refreshed (Supported on Fall 2018 and later iPad models) |
| Activation Lock | Unlock tokens will only be available:
|
| Set the device name | Will work even if the restriction to prevent a name change is enabled |
| Security Info | Will return the management status of the device (e.g. User Managed) |
| Query for profile, provisioning profile, certificate list | Option to only query for managed items of each |
Note: *Denotes new command
tvOS 13
tvOS 13 only received a single new restriction to prevent supervised Apple TVs from going to sleep.
macOS Catalina (10.15)
macOS Catalina featured quite a few updates to existing profiles as well as a few new ones mostly porting over payloads that existed on iOS platforms.
This year the Workspace ONE team will be publishing the custom XMLs for each new payload and command on our GitHub page for easier access. Follow this page for more information once they are published.
Supervision
macOS Catalina introduces a new management mode longstanding on iOS, called Supervision. This mode can only be achieved through Automated Enrollment flows through ABM or ASM. Future MDM functionality such as Activation Lock management, will require the device to be Supervised.
Activation Lock
macOS Catalina brings long awaited support for Activation Lock, along with a set of management capabilities on Supervised devices. New MDM features will allow administrators to allow or disallow functionality, enable automatically, or even clear Activation Lock during reprovisioning processes.
Profiles
| Payload | Update |
|---|---|
| Associated Domains* | Configures Associated Domains used with features such as Extensible Single Sign-on, universal links and Password AutoFill |
| Web Content Filter* | Use the Content Filter payload to choose which websites the device can view |
| Certificate | Specify whether the PKCS12 certificate should be tagged as "extractable" in the Keychain |
| Privacy Preferences Policy Control | MDM administrators can determine which approved apps have access to the following:
|
| Restrictions | Allow or Disallow users from using Handoff with their Apple devices |
| Dock | Set the window's title bar double-click setting. The options are:
|
| VPN | Three new values can be used:
|
| IKEv2 | Four values can be added:
|
Note: *Denotes new payload
Commands
Like payloads, updates and net new commands are available for iOS 13 also. Below are the details for each.
| Payload | Update |
|---|---|
| Activation Lock* | New management functionality for supervised macOS devices, similar to iOS devices:
|
| Local Administrator settings | In OS X 10.11 and later, you can send a command to create a local administrator account on a Mac. In macOS Catalina, additional attributes have been added to this command to also control the behavior of the User Account creation screen:
|
| Bootstrap Token* | On FileVault-encrypted APFS volumes, users shown at the FileVault Login window are each required to have a unique SecureToken to log in successfully. Before macOS Catalina, enabling a mobile account for SecureToken required specific workflows, some of which required entering existing SecureToken-enabled administrator credentials to enable the new user account for FileVault. The Bootstrap Token command eliminates the need to request any additional existing authentication information when a network user is creating a mobile account on a Mac with an encrypted volume. This command will not be available for local users. |
| Device Information | Will return the supervision status of the device. |
| Security Info | Will return the management status of the device (e.g. User Managed) |
Note: *Denotes new command
Apple Business Manager & Apple School Manager
Apple Deployment Programs (Volume Purchase Program and Device Enrollment Program) will be moving to Apple School Manager and Apple Business Manager on December 1st. It is recommended to upgrade your environments ASAP.
Also, two options for devices added to these programs and enrolling are being deprecated in the next update. These were announced a few years ago but are now going live. Starting in the fall optional MDM enrollment and preparing unsupervised devices will be ignored thus enforcing MDM and supervision on all ABM and ASM added devices.
Lastly, there are a few new Setup Assistant screens available on each platform (1 for macOS and 1 for iOS). Look for these to come in a future release of Workspace ONE UEM.
Known Issues
ISDK-173155: False positive compromised detections in iOS 13 beta 1
Additional Resources
- WWDC Home Page
- WWDC What’s New in Managing Devices
- Use Apple Products on Enterprise Networks
- VMware EUC WWDC Recap Blog
- VMware Workspace ONE Intelligent Hub to end support for iOS 9
- VMware Workspace ONE Content to end support for iOS 9
- VMware Workspace ONE Productivity Apps for iOS to end support for iOS 9
- VMware Workspace ONE Applications Support Policy
Support Contact Information
To receive support or provide feedback, either submit a ticket via the My Workspace ONE portal or call your local support line.
Best Regards,
The VMware Workspace ONE Team
Other Languages: 日本語
2 Comments