Getting Ready for Apple Fall 2019 Releases

Overview

 

Another year and another WWDC has concluded. Apple has announced the features of their Fall 2019 lineup starting with iOS 13, macOS Catalina 10.15, tvOS 13, and the new iPadOS 13. The Workspace ONE team is already hard at work preparing for these releases and this page will be your hub for everything to know and triple check prior to their general availability this fall. This page will be focused on enterprise impacting updates and any Workspace ONE changes expected to support them. Please subscribe to this article in order to receive notifications as we update it. For general WWDC updates, please see visit Apple’s developer site here.

22-Jul-19 Update: This Fall Apple will be migrating the mdmenrollment.apple.com URL to a new networking infrastructure. This migration will result in a change of IP resolution for mdmenrollment.apple.com to a broader range of IP addresses. In order to make sure there are no connectivity issues to mdmenrollment.apple.com, please verify connectivity from your Workspace ONE device services and console servers to the below IP ranges in addition to the current ACLs:

  • 17.248.128.0/17
  • 17.248.192.0/19
  • 2620:149:a40::/46
  • 2a01:b740:a41::/48
  • 2403:300:a41::/48
  • 2403:300:a50::/48

 

General Information and Beta Testing

June 3rd was the official release date for all developer betas for Apple’s major OS updates and apps like Xcode 11 and Apple Configurator 2.10 with public betas coming later this summer. It is highly encouraged to download these betas and upgrade your test devices and ensure compatibility with your Workspace ONE UEM environment. The Workspace ONE platform and application teams have already begun our efforts to ensure compatibility with the new updates. Any issues found will be released as part of the Known and Resolved Issues section of this page.

 

iPadOS

One of the biggest changes to iOS was not iOS at all, but a spin off platform specifically for iPads called fittingly iPadOS. Once the updates are public, iPads will upgrade to iPadOS 13 with iPhones and iPods remaining on iOS 13. So far, there does not seem to be any impact in managing these devices differently than iOS. Even the device information queries report the devices as an iOS 13 device.

Because managing iPadOS 13 devices is no different than iOS 13 devices, Workspace ONE UEM has no current plans to display or manage these devices any differently than they are today. This means admins will not need to take any action to support iPadOS 13 devices uniquely. iPads and iPhones/iPods can still be differentiated by using the hardware model received from the Apple devices.

The one impacts announced by Apple is the user-agent reported by Safari on these devices will not be a reliable hardware indicator for developers because it will report as Mac. Workspace ONE UEM currently uses this value to show the appropriate web pages for mobile vs desktop devices. Today in Safari, if someone tries to navigate to the hostname of an environment (e.g. “https://example.com“), they will be prompted to web enroll on an iPad or iPhone but on a Mac will see a UEM console login view.
To always see the web enrollment view, append “/enroll” to the end of the URL (e.g. “https://example.com/enroll”).

Along those same lines, if a user navigates to getworkspaceone.com, they will be prompted to install the .dmg (Mac app) file of Workspace ONE Intelligent Hub instead of being directed to the iOS App Store as expected in previous versions. 

 

User Enrollment

The largest update for iOS, iPadOS, and macOS in the enterprise was the announcement of the Apple coined “User Enrollment”. This new enrollment method lets admins provide resources to users, rather than devices, by specifying a Managed Apple ID for each user during the enrollment process (more to come on Managed Apple IDs below). The device creates a separate managed identity and data partition on the device while still allowing a user to maintain a personal Apple ID simultaneously. Instead of being prompted with vague, privacy threatening messaging, users are given a single view to accept the terms and enter their Managed Apple ID and password (see below).

This new management mode allows admins a subset of management functionality. While the granular list is still yet to be uncovered, certain actions are known for sure:

Allowed in User Enrollment Not Allowed in User Enrollment
  • Configure accounts
  • Configure Per-app VPN
  • Install apps
  • Require a passcode
  • Enforce certain restrictions
  • Query information about managed apps
  • Remove any apps or accounts configured
  • Obtain any persistent device identities (like Serial Number, UDID or Exchange ActiveSync ID)
  • Require complex alphanumeric passcodes
  • Clear the device passcode
  • Take over management of an app that a user installed themselves
  • Query information about personal apps
  • Remotely wipe the entire device
  • Access any cellular features
  • Add Payloads that collect logs on the device
  • Add any supervised restrictions to the user's device

Updated 19-Aug-2019: NEW Coming soon to Workspace ONE UEM!

 

Managed Apple IDs

Managed Apple IDs have been around for several years in Apple School Manager (ASM) for admins to create accounts on behalf of students. Recently this spring, Apple announced the option to federate these accounts and create them through integrating a schools Microsoft Azure Active directory. This fall both these capabilities will be coming to Apple Business Manager (ABM) as well. These Managed Apple IDs can be used to configure the User Enrollment mentioned above.

 

Custom Screens in Automated Enrollment (Devices in ABM)

Since its release, devices added to DEP, now ABM, had a rigid enrollment process allowing for little customization for the end-user authentication experience. Apple has now announced a major enhancement to this by allowing MDMs to provide a web page URL to display during the enrollment process prior to reaching the Setup Assistant screens. With no limitations on this web page, MDM providers can display any options they wish such as custom terms of use, redirection to a modern auth provider, two factor auth, and anything else.

 

Single Sign-On Extension

Apple has added a new Single Sign-On Extension, configurable via profile, to allow admins the ability to specify apps and websites that can leverage the new extension when performing specific authentications. The purpose of this is so app developers no longer need to support several different auth methods (e.g. OAuth, SAML, or Kerberos) in their app and can instead leverage this extension. Enterprises can configure this extension with their preferred authentication for all Apple platforms, but app developers need to add corresponding support in their apps. This will work for different authentication workflows like redirecting to retrieving token or credential challenges.

 

iOS 13

New iOS 13 features included in both iOS and iPadOS bring updates to existing commands and profile payloads as well as newly announced options.

This year the Workspace ONE team will be publishing the custom XMLs for each new payload and command on our GitHub page for easier access. Follow this page for more information once they are published.

 

Dynamic Compromised Detection

Dynamic Compromised Detection is a new feature which allows SDK applications to securely update the compromised detection algorithm over-the-air. This will allow for a faster turnaround when false positive issues are found. Customers and developers with apps using these new SDK versions which support dynamic compromised detection will no longer have to update and/or re-release their apps. It is recommended to ensure your users are on the minimum supported version especially for Dynamic Compromised Detection.
Note: The Workspace ONE team has already found an issue in iOS 13 beta 1 giving false positives for compromised detection. We hope to have this resolved as soon as possible.

Certificate validation has been seen to fail if the DNS attribute is not included in the Subject Alternative Name (SAN) of an SSL certificate even if it is mentioned in the Subject Name. Customers that are using self-signed SSL certificates for their environments may be affected. See Apple’s support link for more info.

Application iOS 13 Supported Version iPadOS 13 Supported Version Dynamic Compromised Detection Support
Workspace ONE Boxer     5.4.1
Workspace ONE Content     4.17.1
Workspace ONE Intelligent Hub     19.03
Workspace ONE Notebook     TBD
Workspace ONE PIV D Manager     1.4.1
Workspace ONE SDK Objective C     5.9.9
Workspace ONE SDK Swift     19.2
Workspace ONE Send     N/A
Workspace ONE Tunnel     N/A
Workspace ONE Web     7.4
Workspace ONE App     3.3.5

 

Exchange

Exchange accounts configured by MDM can now specify which services to enable for the account including Mail, Contacts, Calendar, Notes, and Reminders.
Note: This feature is now available for testing in CN135, CN137, and CN138.

 

Restrictions

Several existing restrictions are transitioning to supervised devices only for iOS 13. It is important to note that these restrictions will continue to function on unsupervised devices upgrading to iOS 13 that already have these restrictions set. However, if the restrictions are removed or updated, they will cease to take effect. In addition, these existing restriction profiles will not take effect on newly enrolled iOS 13 devices. These are the restrictions changing to supervised only:

  • iTunes
  • Safari
  • Camera
  • FaceTime
  • Explicit content
  • iCloud backup
  • iCloud document synchronization
  • iCloud Keychain synchronization
  • Adding Game Center friends
  • Multiplayer gaming in Game Center

Apple also released new restrictions for additional control. They are all for supervised devices only.

  • Prevent Find My Friends
  • Prevent Find My iPhone
  • Prevent QuickPath keyboard (new in iOS 13)
  • Modify whether Wi-Fi is on or off
    Note: The feature above are available for testing in CN135, CN137, and CN138.
  • Prevent USB Drive access
    Note: This feature is not yet available for testing.

 


Other Payloads

The table below outlines updates to existing payloads starting in iOS 13.

Payload Update
Single App Mode Voice Control and use of the keyboard will be added to the list of features that can be configured in Single App Mode.
Wi-Fi WPA3 will be added to the list of encryption types and allow both personal and enterprise-level authentication
Network App rules are no longer required and rules for SIMs will be added
Network Usage Rules Ed25519WPA3 will be added to the list of certificate types.
Per-app VPN Per-app VPN will support and specify domains from mail, calendar, and contacts
VPN Three new values can be used for this payload:
  • Allow local networks
  • Allow any networks
  • Type of provider: app-proxy or packet-tunnel
IKEv2 Four values can be added for this payload:
  • Ed25519WPA3 will be added to the list of certificate types
  • ChaCha20Poly1305 will be added to the encryption algorithm types
  • The Diffie-Hellman security setting will add type 31
  • Allow fallback

Note: The Wi-Fi and Network features above are available for testing in CN135, CN137, and CN138.

 

Commands

Like payloads, updates and net new commands are available for iOS 13 also. Below are the details for each.

 

Command Update
Refresh eSIM plans for iPad* Allows for eSIM plans to be refreshed (Supported on Fall 2018 and later iPad models)
Activation Lock Unlock tokens will only be available:
  • Immediately after a device is enrolled in an MDM solution
  • Before the passcode is set on the device
Set the device name Will work even if the restriction to prevent a name change is enabled
Security Info Will return the management status of the device (e.g. User Managed)
Query for profile, provisioning profile, certificate list Option to only query for managed items of each

Note: *Denotes new command

 

 

tvOS 13

tvOS 13 only received a single new restriction to prevent supervised Apple TVs from going to sleep.

 

macOS Catalina (10.15)

macOS Catalina featured quite a few updates to existing profiles as well as a few new ones mostly porting over payloads that existed on iOS platforms.

This year the Workspace ONE team will be publishing the custom XMLs for each new payload and command on our GitHub page for easier access. Follow this page for more information once they are published.

 

Supervision

macOS Catalina introduces a new management mode longstanding on iOS, called Supervision. This mode can only be achieved through Automated Enrollment flows through ABM or ASM. Future MDM functionality such as Activation Lock management, will require the device to be Supervised.

 

Activation Lock

macOS Catalina brings long awaited support for Activation Lock, along with a set of management capabilities on Supervised devices. New MDM features will allow administrators to allow or disallow functionality, enable automatically, or even clear Activation Lock during reprovisioning processes.

 

Profiles

Payload Update
Associated Domains* Configures Associated Domains used with features such as Extensible Single Sign-on, universal links and Password AutoFill
Web Content Filter* Use the Content Filter payload to choose which websites the device can view
Certificate Specify whether the PKCS12 certificate should be tagged as "extractable" in the Keychain
Privacy Preferences Policy Control MDM administrators can determine which approved apps have access to the following:
  • Downloads folder
  • Event lists
  • File providers
  • Input devices (mouse, keyboard, and trackpad)
  • Media library
  • Network volumes
  • Removable volumes
  • Screen capture
  • Speech recognition
Restrictions Allow or Disallow users from using Handoff with their Apple devices
Dock Set the window's title bar double-click setting. The options are:
  • Set the open documents window tab to manual, always, or full screen only
  • Show recent apps
  • Minimize
  • Maximize
  • None
VPN Three new values can be used:
  • Allow local networks
  • Allow any networks
  • Type of provider: app-proxy or packet-tunnel
IKEv2 Four values can be added:
  • Ed25519WPA3 will be added to the list of certificate types
  • ChaCha20Poly1305 will be added to the encryption algorithm types
  • The Diffie-Hellman security setting will add type 31
  • Allow fallback

Note: *Denotes new payload

 

Commands

Like payloads, updates and net new commands are available for iOS 13 also. Below are the details for each.

Payload Update
Activation Lock* New management functionality for supervised macOS devices, similar to iOS devices:
  • Allow Activation Lock to be enables on supervised devices when the user enables Find My iPhone
  • Enable Activation Lock automatically on supervised Mac computers
  • Get and Clear Activation Lock Bypass Code for reprovisioning scenarios
Local Administrator settings In OS X 10.11 and later, you can send a command to create a local administrator account on a Mac. In macOS Catalina, additional attributes have been added to this command to also control the behavior of the User Account creation screen:
  • Pre-fill User Account creation screen user's full name, username, and password
  • Lock the User Account creation screen fields from being changed
  • Disable any automatic population of the User Account creation screen fields
Bootstrap Token* On FileVault-encrypted APFS volumes, users shown at the FileVault Login window are each required to have a unique SecureToken to log in successfully. Before macOS Catalina, enabling a mobile account for SecureToken required specific workflows, some of which required entering existing SecureToken-enabled administrator credentials to enable the new user account for FileVault.
The Bootstrap Token command eliminates the need to request any additional existing authentication information when a network user is creating a mobile account on a Mac with an encrypted volume. This command will not be available for local users.
Device Information Will return the supervision status of the device.
Security Info Will return the management status of the device (e.g. User Managed)

Note: *Denotes new command

 

Apple Business Manager & Apple School Manager

Apple Deployment Programs (Volume Purchase Program and Device Enrollment Program) will be moving to Apple School Manager and Apple Business Manager on December 1st. It is recommended to upgrade your environments ASAP.

Also, two options for devices added to these programs and enrolling are being deprecated in the next update. These were announced a few years ago but are now going live. Starting in the fall optional MDM enrollment and preparing unsupervised devices will be ignored thus enforcing MDM and supervision on all ABM and ASM added devices.

Lastly, there are a few new Setup Assistant screens available on each platform (1 for macOS and 1 for iOS). Look for these to come in a future release of Workspace ONE UEM.

 

 

Known Issues

ISDK-173155: False positive compromised detections in iOS 13 beta 1

 

Additional Resources

 

 

Support Contact Information

To receive support or provide feedback, either submit a ticket via the My Workspace ONE portal or call your local support line.

 

Best Regards,
The VMware Workspace ONE Team

 

Other Languages: 日本語

Have more questions? Submit a request

2 Comments

  • 0
    Avatar
    The Workspace ONE Team

    Update: Getting Ready for Apple Fall 2019 Releases

    This Fall Apple we be migrating the mdmenrollment.apple.com URL to a new networking infrastructure. This will result in a change of IP resolution for mdmenrollment.apple.com to a broader range of IP addresses. In order to make sure there are no connectivity issues to mdmenrollment.apple.com, please verify connectivity from your Workspace ONE servers to the below IP ranges in addition to the current ACLs:

    • 248.128.0/17
    • 248.192.0/19
    • 2620:149:a40::/46
    • 2a01:b740:a41::/48
    • 2403:300:a41::/48
    • 2403:300:a50::/48

    Support Contact Information

    To receive support, either submit a ticket via the My Workspace ONE portal or call your local support line.

     

    Best Regards,

    The VMware Workspace ONE Team

     

  • 0
    Avatar
    The Workspace ONE Team

    Update Regarding Apple Fall 2019 Releases and Workspace ONE UEM

    The User Enrollment section of this article has been updated. We have a new video showing the updated enrollment workflow for users.

    Updated 19-Aug-2019: NEW Coming soon to Workspace ONE UEM!
    Your browser does not support the video tag but you can download the new video here.

    Support Contact Information

    To receive support, either submit a ticket via the My Workspace ONE portal or call your local support line.

     

    Best Regards,

    The VMware Workspace ONE Team

     

Article is closed for comments.