What's New in Managing Apple Device -- 2022.recap

What's New in Managing Apple Devices
https://developer.apple.com/videos/play/wwdc2022/10045/

===
= Notes by Matt (Tyger) Lemieux ~ Editorial remarks are my own (and marked as such) as are mistakes and errors in interpretation.
= They are not the opinions or interpretations of Apple or my employers. Your milage may vary.
===

== Previous Announcement Recap ==

= Declarative Device Management =
- This is a change originally announced last year which changes the model for the interactions between a managed device and the management server.
- It's going to primarily be of interest to MDM developers; However, it's important that your MDM vendor is starting to leverage these new APIs since it is likely that old APIs may eventually disappear and new features will not be available in the older model.
- 2021 WWDC Presentation: https://developer.apple.com/videos/play/wwdc2021/10131/
- 2022 Updates WWDC Presentation: https://developer.apple.com/videos/play/wwdc2022/10046

= Apple Business Essentials =
- Apple's new (as of this year) offering that combines enterprise AppleCare support with an MDM implementation and additional iCloud storage.
- Primarily aimed at small business customers 
    - EDITORIAL REMARK: In competition with Jamf Now
- 2022 WWDC Presentation: https://developer.apple.com/videos/play/wwdc2022/110335

= Managed Device Attestation =
- New security feature (as of this beta cycle) that uses the secure enclave to provide high-grade attestation to the identity and software versioning on a device.
- 2022 WWDC Presentation: https://developer.apple.com/videos/play/wwdc2022/10143
    
== Apple Configurator ==

- Apple announced Apple Configurator for iPhone at WWDC 2021
    - https://developer.apple.com/videos/play/wwdc2021/10297/
- Primary use-case was for adding Mac purchased outside of normal business channels into Automated Device Enrollment (ADE)
- Version 1.0.1 added the ability to take advantage of existing networking configuration on the iPhone for setting up the Mac that you just added to Apple Business Manager (ABM) or Apple School Manager (ASM)
- As of iOS 16, Apple Configuration for iPhone can now add iPhones and iPads into ADE.
    - There are minor differences in the process for iPhones and iPads versus Macs.
        - Mac need to scan the Country / Region screen.
        - iPhones and iPads will need to scan the Wifi screen.
        - Any devices requiring interactive activations such as activation lock or cellular carrier activation need to be handle manually before being added.
- There's still support for the macOS version of Apple Configurator for these processes by connection via a USB cable.
- iPhones and iPads running iOS 16 can be added using the currently available version of Apple Configurator for iPhone

== Identity / Single Sign-On (SSO) ==

- The ultimate goal is to have end-users only need to authenticate to the device once and then have that authentication follow-through to all the resources that are tied to that identity.
- For federated authentication, Apple Business Manager now integrates with Google Workplace as an identity provider.
- Remember to use Directory Sync with either Azure AD or Google Workplace to automatically create Managed AppleIDs for your users.

= Sign In with Apple = 
- You can now leverage Managed AppleIDs for authentication in supported apps.
- You can allow this for all apps or an explicit list of apps in ABM or ASM.
- 2022 WWDC Presentation: https://developer.apple.com/videos/play/wwdc2022/10053


= OAuth v2 =
- In iOS 16, Apple has added support for OAuth v2 as an additional authorization mechanism.
- This should allow MDM vendors to support a wider base for Identity Providers for MDM-based authentication.
- Additionally, this allows for improved security through the use of short-lived access tokens that can be silently refreshed over time without requiring further user interactions.
- OAuth is available via the existing account-based management workflows.

= Enrollment SSO =
- Combines Account-based device enrollment for BYOD MDM and existing SSO extensions to create a single experience for enrolling a device AND provisioning access to apps that make use of the existing SSO extensions.
- Workflow Overview
    - Users enter their email address in Settings.app
    - Users are then prompted to download an app with an enrollment SSO extension which provides a native experience for performing the authentication steps.
    - Because this makes use of an enrollment app, you should be able to leverage **ANY** existing SSO technologies that you're currently using with your managed devices.
    - Users will sign-in once to kick off the enrollment flow and then should be able to use that same authorization for any existing applications that makes use of the SSO extensions
- Requirements for Enrollment SSO
    - An SSO Extension App <-- IdM provider's app needs to support Enrollment SSO
    - MDM Support <-- MDM Vendor needs to support federated enrollment authentication with an IdM
    - Managed AppleIDs (MAIDs) <-- Admins required to setup MAIDs in ABM or ASM
    - Enrollment SSO Configuration <-- Configure MDM to return a URL to the JSON document in the authentication response headers (ie: configure SSO in your MDM server for enrollment purposes)
- There is an extensive discussion of the technical underpinnings of this enrollment process.
    - It's more complex than I can capture in this format; If you're curious, I recommend watching the video.
    - The feature will not be available until a later dot-release of iOS / iPadOS 16.
    - App Developers who wish to develop apps for this workflow will need to apply for a new entitlement.
    - There is a special Test Mode mechanism for being able to test this prior to release of the iOS / iPad OS version supporting this feature OR the release of your app.
        - Enable Enrollment SSO Test Mode in the Developer section of Settings
        - Configurate the appropriate authentication response (ie: make SSO happen)
        - Beging the Enrollment flow in Settings
        - Install the SSO app via Xcode, TestFlight or Enterprise Distribution
        - Complete the Enrollment workflow.
        - NOTE: There are differences in the SSO authentication configuration for Test Mode.
         
= Platform Single-Sign On =
- Previously, Apple introduced SSO extensions to allow end-users to authenticate to services after a device login. This led to scenarios where users would need to login (often using the same credentials) up to 3 times in a row in order to properly and fully authenticate to a device.
- Now, Apple has release Platform SSO to completely unify the experience between the device unlock and the subsequent SSO extension workflows and allow users to authenticate to SSO-bound services simultaneously with device unlock.
- The Authentication Experience
    - Initial login via a local account password (to avoid issues with network connectivity)
    - Subsequent unlocks would require the identity-provider password
    - Authentication can occur via a password or a Secure Enclave-backed key.
    - SSO tokens are then retrieved, cached and optionally shared with the SSO extension.
    - Kerberos TGTs can also be supported with the built-in Kerberos SSO extension.
    - Changes in identity-provider password are validated on device unlock.
- Implementation
    - Platform SSO uses native OAuth v2 + OpenID support, doesn't use WebViews for authentication
    - This is the modern replacement for AD Binding and Mobile Accounts. (HINT, HINT!!)
    - The Identity provider is ONLY consulted with a new password is attempting to be used OR on initial SSO token retrieval.
        - This means that it's not necessarily consulted on every login or unlock.
        - Directory Services are not used directly.
    - Empty or Negative Responses from IdM do NOT prevent local login
        - Apple recommends other strategies such as MDM to revoke access more directly.
- Requirements
    - IdP needs to implement the SSO protocol and update their SSO extension.
    - Update the Extensible SSO profile via MDM to support the new keys required.
    - Push the new profiles out to your endpoints.
- More details are available in the Apple Platform Deployment Guide
    - https://support.apple.com/guide/deployment/ (Not Yet Updated as of 06/07) 
        
== macOS Platform Changes ==

= Software Updates =
- 2021 WWDC Presentation: https://developer.apple.com/videos/play/wwdc2021/10129
    - Focus was split between Test, Deploy and Enforce
- This year, the focus is primarily on Deployment and Enforcement
- Deployment of macOS Software Updates
    - Going forward, devices will respond to MDM calls ScheduleOSUpdate, OSUpdateStatus and AvailableOSUpdate commands even if the device is in PowerNap or completely asleep.
    - There's a new Priority Key for the ScheduleOSUpdate call
        - Accepts 'high' and 'low' values
        - 'high' value will mimic an update as those the user themselves requested it.
        - This key is only supported for **minor** OS updates (eg: dot-releases or security updates
    - Starting in 12.3, OSUpdateStatus now returns enhanced data about the update state of the Mac
        - Deferrals Remaining
        - Maximum number of Deferrals available
        - Next scheduled install datetime 
        - Datetimes for any previous notifications to the end-user.
    - EDITORIAL REMARK: WIth proper MDM vendor support, Apple is approaching a native replacement for Nudge.
        - Lacking at the moment is a more insistent enforcement mechanism.

= Rapid Security Response =
- A new software update method for security updates that do not require firmware modification.
- These updates can also be removed by the end-user if necessary.
- New keys supporting this functionality
    - allowRapidSecurityResponseInstallation -- To block the install of these updates
    - allowRapidSecurityResponseRemoval - To prevent users from removing these updates

= Network Requirements for Setup Assistant =
- Starting with a forthcoming release (ie: this enforcement is likely to be added to non-Ventura macOS as well), devices will be required to have Internet connectivity in order to proceed with Setup Assistance and Enrollment any time after their initial enrollment.
- Once the device is online for the first time following the initial enrollment, it will be acknowledged by Apple as owned by your organization if the device is enrolled in ABM or ASM.
- All future enrollments (following remote OR local wipes) will require network connectivity at Setup Assistant and cannot be bypassed.
- AppleSeed for IT release notes will contain more information about the timing of this enforcement in the future.
    - https://appleseed.apple.com/it

= profiles Command-Line Tool =
- Starting in Ventura, profiles show/renew/validate commands will be rate-limited to 10 per day when requested from the MDM server.
- After the 10 responses, cached information will be used.
- The MDM API calls for this data can now include a cached flag in order to avoid counting against the 10-per-day limit.
- Complete details about this rate-limiting can be found in the profile man page.
- EDITORIAL REMARK: You were warned in Monterey that this change was coming.

= Upcoming Security Changes =
- Interactive Certificate Trust
    - Starting in iOS 10.3, manually installed certificates were not automatically trusted for TLS purposes and required user interaction in order to provide this trust.
    - In 'a future release of macOS', this will also be true for macOS devices.
    - This change does NOT affect the trust settings for MDM-provided profile-based certificates; just those certificates that are installed manually.
        - You can already specify trust settings certificates distributed via MDM profiles.
    - EDITORIAL REMARK: THis was already true for most types of certificate trust for manually installed certificates; this just removes the last singular exception. Now, *ALL* types of certificate trust must be explicitly granted by the user if you're not distributing them via an MDM profile (either via a modal pop-up in iOS and iPadOS or via Keychain Access in macOS).

- Accessory Security
    - Going forward on portable Apple Silicon devices, by default new Thunderbolt or USB accessories will require explicit user permissions in order to be used with a system.
    - Approved accessories can be attached to a locked Mac for up to 3 days (before prompting for unlock and user consent)
    - There are additional settings to Always Require, Only Require when Locked and Never Require user permission for attached accessories.
    - These settings can be managed using the existing iOS payload allowUSBRestrictedMode which will now work on macOS device.
        - However, remember that deactivating this requirement can make systems less secure by opening them to arbitrary hardware-based attacks, so only bypass the restriction where absolutely necessary.

= MDM Protocol Changes =
(Listed by a Single Slide and skipping ones discussed previously)
- Payload Updates
    - Firewall (AllowSigned, AllowSignedApp)
    - SystemsPreferences (since the SysPref pane is now redesigned)
- New Restrictions
    - allowUniversalControl
    - allowUIConfigurationProfileInstall
- Setup and Migration
    - MDM friendly migration
        - EDITORIAL REMARK: Sounds interesting; what is it?!
    - SkipKey (TermsOfAddress)
            
== iOS and iPadOS Platform Changes ==

= Network Transport Security Changes =
- Historically, Apple has provided per-app VPN options for network transport security.
- Starting in iOS 16, Apple will be extending these per-app configurations to DNS Proxy and Web Content Filtering.
- Activating these features will be similar to per-app VPN in only requiring a UUID per feature in the respective configuration profiles and an InstallApplication or Settings call that references those feature's UUIDs.
- This will 'Just Work'(TM) for all apps that currently support DNS Proxy or Web Content Filtering.
- You can use multiple DNS Proxies, but you can't mix and match system-level proxies with per-app proxies (ie: one or the other, not both).
- There's a limit of 7 per-app Web Content Filters and 1 system-wide filter.

= Managing eSIMs =
- This section is largely aimed at MDM vendors to get them to actually support the available keys for querying and managing eSIMs. There's no new information here for MacAdmins.
- There are some minor changes in these commands; so if you're an MDM vendor reading this (WHY!?), go get on that.

= Shared iPad =
- Added ManagedAppleIDDefaultDomains to allow for typing suggests to the login screen.
- Currently, Shared iPad requires remote (that is, non-local) authentication approx. once every 7 days.
    - Starting with iOS 16, local auth will ONLY be used for existing known users to the iPad.
    - If you want to manage the amount of time between required remote authentications, use the OnlineAuthenticationGracePeriod.
        - Takes an integer value for the number of days between required remote authentications.
        - A Value of 'O' will ALWAYS require remote authentication.
- Shared iPad Quotas
    - If you set the quota by users, they'll receive (1 / Number-of-Users) percentage of the overall available space.
        - Each new user over the number of users specified deletes the user data of the user with the least-recent login (regardless of the amount of available storage)
    - If you set the quota by size, each user can access up to the size of the quota for their data 
        - However, bear in mind that each new user needs to have their ENTIRE quota of space available in order to login.
        - If the new user doesn't have a full quota's worth of space available, the least-recently logged-in user will be deleted (regardless of the number of users)
    - Remember that you can make more space available on the device by removing unused apps and content.
    - As long as there are no cached users on the device, you can adjust the quotas at any time.

= Other Changes =
- Starting in iOS 16, many Accessibility settings can be managed at the device level using MDM profiles.
    - TextSize, VoiceOverEnabled, ZoomEnabled, TouchAccommodationsEnabled, BoldTextEnabled, ReduceMotionEnabled, IncreaseContrastEnabled and ReduceTransparencyEnabled
    - Idea is allowing for more accessibility in schools and retail settings.
    - These settings are NOT locked by setting them via profile and the end-user can adjust them to meet their own needs.
    - MDM servers can query these preference values via the DeviceInformation call.
    
- InstallApplication during Setup
    - You can now use InstallApplication during the AwaitDeviceConfigured step.
        - Bear in mind that it is unlikely a user exists on the device at this time, so you'll need to leverage device-based app licenses.
        - Unsupervised devices will return NotNow until they return to the Home Screen.

- CertificateList will now return NotNow before the initial device unlock following a device restart

- Following a wipe of an AppleTV, the remote will now remain paired to the device.
    
= MDM Changes = 
(Single Slide, previously discussed keys ignored)
- Payload Updates
    - Cellular (iOS, iPhone, watchOS)
    - ACME (iOS, iPadOS, tvOS)
    - Self-Signed Cert (iOS, iPadOS, tvOS)
    - Web Content Filter (WebContentFilterUUID)
    - DNS Proxy (DNSProxyUUID)
- New Restrictions
    - allowMailPrivacyProtection (iOS, iPadOS)
    - allowAutomaticScreenSaver (tvOS)
    - allowRapidSecurityResponseInstallation (iOS, iPadOS)
    - allowRapidSecurityResponseRemoval (iOS, iPadOS)
- MDM Command Updates
    - Settings (Accessibility)
    - InstalledApplicationList (IsAppClip)
    - Settings (SharedDeviceConfiguration)
    - [OnlineAuthenticationGracePeriod, SharedDeviceConfiguration]
    - DeviceInformation (OnlineAuthenticationGracePeriod, ManagedAppleIDDefaultDomains, DeviceAttestationNonce, Accessibility)
    - ApplicationAttributes (ContentFilterUUID, DNSProxyUUID)
- Skip Keys
    - TermsOfAddress (iOS, iPadOS)

== Documentation ==

- The source code powering the new format of the Device Management API documentation is now available on GitHub.
    - http://github.com/apple/device-management
- The GitHub repo is broken down between MDM and Declarative Management APIs and then by API endpoint
    - Each command, profile or declaration has its own YAML file that contains all of the information about that call.
    - Each YAML files contains detailed and highly-structured data about each command, profile or declaration.
        - This includes data about both command and response schemas.
- Data is currently available going back to iOS 15 and macOS Monterey releases.
- Going forward, each new available version of the OS will have a new branch detailing the effective changes for that branch's OS versions.
    - The first beta branches are already available for both iOS 16 and macOS Ventura
- Ultimately, this structured data could be used by MDM vendors to better document and support new MDM functionality in ongoing OS releases.

== Recap and Wrap-Up ==

- Apple Configurator for iPhone now allows you to enroll arbitrary iPhones and iPads into ABM / ASM for use with ADE.
- Identity
    - Google Workspace integration with ABM / ASM for Managed AppleIDs
    - Enrollment SSO (for iOS and iPad)
    - Platform SSO (for macOS)
- macOS
    - More information regarding Software Update (via MDM command OSUpdateStatus)
    - ADE security improves by requiring Internet access following a wipe or restore
    - Security changes regarding Certificate Trust and Accessory Security
- iOS and iPad
    - Manage DNSProxy and WebContentFilter on a per-app basis
    - Enhancements to Shared iPad
    - Changes to MDM protocol, specifically being able to install apps during Setup Assistant
- Machine-readable MDM Protocol Documentation