Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Please Note: This article was updated on December 3, 2020. The update added the UEM versions that include the latest features for the Apple Fall 2020 Releases.Despite its virtual nature, WWDC 2020 launched a bevy of updates for the enterprise in iOS 14, macOS 11 Big Sur, and tvOS 14. This page will be your guide for understanding what we know about these capabilities so far and how best to prepare your organizations this Fall. Typically, iOS major version updates take place in mid to late September with macOS trailing by a few weeks. Despite the state of the things regarding the global pandemic, we are assuming that this timeline will remain unchanged and any preparation should plan for a mid to late September GA release of these platform updates. For a briefer summary or a list of all updates announced by Apple, take a look at Apple’s developer pages and our EUC blogs surrounding WWDC. We’re excited about the new announcements from Apple this year and look forward to bringing them to market as part of the Workspace ONE solution for our customers and partners. This year we’re also launching a new sub-space within VMware Communities for Apple related discussions, and we’re looking forward to some impactful community interaction over the next few weeks Upgrade to Supported HTTP/2 Version Even before WWDC, Apple announced it would stop supporting its legacy APNs framework in favor of APNs over HTTP/2. While this capability has been supported for a while in Workspace ONE UEM, it was not enabled for all versions. To ensure APNs over HTTP/2 has been successfully enabled, upgrade your environment to major version 1905+ and check out our dedicated HTTP/2 page for specific patch information. KB78976 General These updates will be general to all Apple platforms or web services. If there are any differences in these by platform, those will be called out specifically. Automated Device Enrollment (formerly DEP) skip screens Apple has added 3 new skip screens to the Automated Device Enrollment profile. All of these options will be skipped by default in Workspace ONE UEM. Updated 7-Aug-2020: The following features are now available in CN135 CN137, CN138!Updated 3-Dec-2020: The following features are publicly available in UEM 2008 and higher Platform Screen skipped macOS 11 Big Sur Accessibility iOS 14 Get Started iOS 14 Update Completed SSO Extension Updated 3-Dec-2020: The following features are publicly available for iOS in UEM 2010 and for macOS on UEM 2011 and higher The single sign-on extension was a new payload introduced in iOS 13 (and macOS 10.15). This year Apple added a few enhancements. · User channel support – Available in UEM 2010+ o This allows the SSO extension to be installed on the user channel as opposed to the device channel for use in macOS (2011+) and Shared iPad (2010+) o Any user channel profiles will take precedent over device profiles if there is conflicting information. o It is recommended to consider using the user channel profile for SSO extensions where possible. · Per app VPN support – Available in UEM 2010+ o Admins can configure list of associated and excluded domains to use with a particular per app VPN configuration. o Associated domains allow traffic from an app to the extension to go through the per app VPN to access on-premise resources like an IDP. o Excluded domains allow some domains to not be sent through the per app VPN if the resource lives in a trusted cloud. o There is also a new direct download feature that ensures the domains are accessed directly by the device and not using the new Apple Content Distribution Network (CDN). This is sent using the App Attributes on iOS 14 and the Associated Domains payload on macOS 11 Big Sur. · Built-in iOS and macOS Kerberos extension – Available in UEM 2010+ o General § All options are profile keys for SSO Extension payload § Custom help text to provide instructions to help user during your organizations sign in process o macOS § Custom organization name to help user know which IDP they are signing into § Option to delay the setup of the extension until the first Kerberos challenge is received § Settings payload is now supported on user channel. (Available in UEM 2011+) o iOS § Option to require all apps that call the extension to be managed Check out the Apple WWDC 2020 video on this for more info - https://developer.apple.com/videos/play/wwdc2020/10139 Configuration profile updates Below is the list of all common profile updates coming to both iOS 14 and macOS 11 Big Sur. All features are available for both supervised and unsupervised devices unless otherwise specified. Payload Feature Description Link to XML Status SCEP 4096 key sizes Key size can now be 4096 bits. Link Available in UEM 2008+ Wi-Fi Prevent MAC address randomization MAC address randomization can now be disabled when associating with a Wi-Fi network. This is a new behavior in iOS 14 and macOS 11 Big Sur Link Available in UEM 2010+ VPN (Per- App VPN) Associated and Excluded domains Now allows apps to be associated with specific internal websites and segments website traffic so some parts of the app can use different VPN tunnels. Link Available in UEM 2010+ VPN Set MTU Added specification on Maximum Transmission Unit (MTU), in bytes. Link MAC address randomization Updated 3-Dec-2020: The following feature is publicly available in UEM 2010 and higher Apple platforms use a randomized Media Access Control (MAC) address when performing Wi-Fi scans when not associated with a Wi-Fi network. This feature can be disabled either by the user or using a new option in the Wi-Fi payload. Under certain circumstances, the device will fall back to the actual MAC address. It appears that the MAC address collected in the device information sample does still return the accurate MAC address. Apple support article - https://support.apple.com/guide/security/mac-address-randomization-secb9cb3140c/web iOS 14 As expected, iOS 14 was announced, and its first beta released for developers. Download it at https://developer.apple.com/download/. There were several general and enterprise updates. VMware is already at work to support these capabilities and this page will be updated as we progress leading up to iOS 14’s GA release. NOTE: There are still no differences in managing iOS 14 vs iPadOS 14 devices. It is safe to assume that any update to iOS 14 will equivalently apply to iPadOS 14 as well. For simplicity, only iOS 14 will be mentioned going forward. Prevent removal of iOS apps A simple but impactful update is to app management on iOS is the option to prevent removal of any app installation. This includes enterprise, public, purchased, or custom applications. This is available for supervised and unsupervised devices. This option is disabled by default and if enabled for an app, the user will be presented with a warning if they attempt to remove the application. Unlike other options in the InstallApplication and InstallEnterpriseApplication command, the key to prevent removal of an application is part of the application attributes, similar to VPN and Associated Domains. As of Workspace ONE UEM 1910, iOS applications have the option for custom app attributes so this feature can be configured already. This can be set in “Tunnel & Other Attributes” section of iOS app assignment settings. Set and query the device time zone With iOS 14, admins can set the device time zone and retrieve the current time zone configured. This does not require location services to be enabled on the device to take effect. Configuration profile updates Below is the list of all profile updates coming to iOS 14. All features are available for supervised and unsupervised devices unless otherwise specified. Payload Feature Description Link to XML Status Restrictions Prevent App Clips A new feature in iOS 14 is the option to leverage part of an app’s logic without having to install the full app itself. This is a corresponding restriction to prohibit this behavior. Link Available in UEM 2008+ Exchange Per Account VPN VPN connections can be established on a per account basis, which provides more granular control over which data goes through VPN. Per Account VPN associates a user account with a specific VPN. Link Available for supervised and unsupervised devices. Exchange Override previous user’s password Allows the user’s password to be updated in place. Link Available in UEM 2008+ Mail Per Account VPN VPN connections can be established on a per account basis, which provides more granular control over which data goes through VPN. Per Account VPN associates a user account with a specific VPN. Link Contacts (CardDAV) Per Account VPN VPN connections can be established on a per account basis, which provides more granular control over which data goes through VPN. Per Account VPN associates a user account with a specific VPN. Link Calendar (CalDAV) Per Account VPN VPN connections can be established on a per account basis, which provides more granular control over which data goes through VPN. Per Account VPN associates a user account with a specific VPN. Link LDAP Per Account VPN VPN connections can be established on a per account basis, which provides more granular control over which data goes through VPN. Per Account VPN associates a user account with a specific VPN. Link Subscribed Calendars Per Account VPN VPN connections can be established on a per account basis, which provides more granular control over which data goes through VPN. Per Account VPN associates a user account with a specific VPN. Link Notifications Prevent notification previews Prevents apps from displaying a preview and the type of preview of a message in a Notification. Link Available in UEM 2008+ SCEP 4096 key sizes Key size can now be 4096 bits. Link Available in UEM 2008+ VPN (Per- App VPN) Prevent disable on-demand VPN Added the ability to prevent the user to disable VPN On Demand. Link Wi-Fi Prevent MAC address randomization MAC address randomization can now be disabled when associating with a Wi-Fi network. Link Available in UEM 2010+ DNS Settings (NEW!) Configure encrypted DNS settings Specify the DNS encryption behavior for specific servers by their IPv4/IPv6 address, hostname, URI, or domains. Link Setup Assistant (NEW!) Skip Setup Assistant panes Skip certain Setup Assistant panes after an OS update. This is similar to the Automated Device Enrollment (formerly DEP) profile, and is used to skip Setup Assistant screens during the initial onboarding. Link Available in UEM 2011+ Workspace ONE App Support All supported versions of Workspace ONE UEM generally support iOS 14, macOS 11, and tvOS 14. Any new capabilities introduced in these releases can be configured via Custom XML or will be added in a subsequent Workspace ONE UEM 20.08+. Please review our Workspace ONE UEM release notes for more details.Additionally, we recommend customers to be on the latest patches of for versions 19.05-20.01 to be ready for Apple’s APNs changes surrounding HTTP/2 coming in November. For more information, please review our dedicated article on the topic here.The table below is the recommended compatible version of Workspace ONE productivity apps to ensure optimal support for iOS 14 and iPadOS14 upon its general release. Please review this table to best prepare your devices. App Name iOS14 Supported Version iPadOS14 Supported Version Intelligent Hub 20.07 20.07 Web 7.16 and above 7.16 and above Content 5.3 5.3 Cards 1.0 Notebook 1.5.0.475 Boxer 5.21 5.21 SmartFolio 1.2 1.2 Intelligence SDK 6.0.1 6.0.1 App Wrapping 6.1.1 6.1.1 PIV-D 20.9 SDK - Cordova Plug-in 2.1 2.1 SDK - Xamarin 2.0 2.0 SDK (Objective C) 5.9.9.10 5.9.9.10 SDK (Swift) 20.5.7, 20.6.3, 20.7.5 20.5.7, 20.6.3, 20.7.5 Tunnel 4.3 4.3 Send 1.3 1.3 Workspace ONE Workspace ONE 3.3.9 Workspace ONE 3.3.9 macOS 11 Big Sur macOS received the most updates related to the enterprise this WWDC. The first item to notice is that Big Sur finally introduces a new major version increase from 10.X.X. macOS Big Sur will change to 11.X.X going forward and the Workspace ONE UEM console will reflect this change in all areas where version is selected like enrollment restrictions, compliance policies, and smart groups. MDM Managed Applications A great update coming to macOS 11 Big Sur is the introduction of full management commands for macOS applications. As currently designed, these management capabilities are intended only for sandboxed self-contained .app bundles in the /Applications folder. Before Big Sur, macOS App Store applications deployed through Apple Business Manager (formerly called VPP) could only be remotely installed. But unlike iOS, the apps could not be remotely queried, configured, or even removed later. These new enhancements will allow admins to fully manage the configuration and lifecycle of macOS applications deployed through Apple Business Manager using native MDM commands. Apple has also added support to manage a single sandboxed .app bundle that might be installed to the /Applications folder in a signed .pkg using the InstallApplication or InstallEnterpriseApplication command. However, with the current native MDM feature set available for .pkgs, we believe that these types of software files continue to best be managed via Workspace ONE UEM Internal Apps using the Intelligent Hub agent to take advantage of the full software management lifecycle features. As such, we will be limiting the new Managed Apps enhancements only to Apple Business Manager apps. But we will be monitoring enhancements Apple may introduce in the future, to continually evaluate our integration support against the needs of the market for managing macOS software. User Approved MDM enrolled devices will now be Supervised Starting with macOS 11, device enrollments that are “User Approved” will now be considered Supervised. Any UAMDM device upgrading to macOS 11 or being enrolled for the first time will fall under supervision. This enhancement allows administrators to use more MDM functionality, such as OS Update management or Activation Lock bypass codes. Software updates macOS 11 will bring an OS and non-OS update notification experience that closely matches that of iOS. With macOS 11, administrators will have more granularity when managing software updates for supervised devices, including: · OS updates (major OS version, minor OS version, supplemental and security) and/or non-OS updates (ie. Safari) can now be deferred. · Starting with macOS 10.15.4, administrators can defer major updates, such as macOS 11, with the existing software update deferral setting previously only available for minor OS updates. · Starting with macOS 11, administrators can also separately defer (or not defer) non-OS updates, such as Safari.Update 3-Dec-2020: The above feature is now available in UEM 2010 and higher · All macOS update types share the same deferral limit (up to 90 days). · macOS 11 introduces an MDM command to force a software update of any type, including (if necessary) a restart. NOTE: In macOS 11, all software updates released during the beta period will be deferrable. Zero Touch Apple Business Manager enrollment A fantastic feature to allow Apple TVs to “Auto Advance” the Setup Assistant screens during Apple Business Manager enrollment is coming to macOS 11. This functionality also requires the Mac to be connected to ethernet. After powering the device on, the Mac will automatically enroll to Workspace ONE via ABM, skip all Setup Assistant screens, and finish at the macOS login window. The user can then enter a known username and password, such as the optional auto admin account or a mobile/network account.Updated 7-Aug-2020: The following feature is now available in CN135 CN137, CN138!Updated 3-Dec-2020: The above feature is now available in UEM 2008 and higher Expanded Bootstrap Token management Updated 3-Dec-2020: The following feature is now available in UEM 2011 and higher Bootstrap tokens got an upgrade as well. Previously, if IT administrators wanted to grant accounts Secure Token on a Mac device, they had to create workflows and add individual user accounts. Bootstrap Token was introduced in macOS 10.15 Catalina to provide Secure Tokens to mobile users only. In macOS 11, Bootstrap Tokens can now grant a Secure Token to any user on a supervised Mac, including local users. Learn more about Bootstrap Tokens in the Deployment Reference for Mac: • Using SecureToken • Using Bootstrap Tokens • When a user sets up a Mac on their own • When a Mac is provisioned by an organization • Using command-line tools
Security updates Profile download and user installation To increase data security and prevent unintended profile installation, Mac computers not enrolled in an MDM solution require users to manually install both enrollment and configuration profiles. When a profile is downloaded, an alert is shown to the user indicating that they need to finish profile installation in System Preferences. The user must launch System Preferences, navigate to the Profiles preference pane, and select the downloaded profile. At that point the user will see a window describing what the profile does. If no action is taken by the user roughly 8 minutes after the profile is downloaded, the profile is automatically removed from System Preferences.Workspace ONE UEM will be making some visual UI updates to both Intelligent Hub enrollment and Web enrollment, to enhance the experience for users who are manually enrolling their Macs instead of using Apple Business Manager. Signed system volume macOS 11 introduces a cryptographically signed system volume that protects against malicious tampering.Because the system volume is also cryptographically validated, it’s no longer necessary to encrypt it with FileVault to protect system volume integrity against offline attacks. FileVault is still used to encrypt user data on the Data volume of Mac computers running macOS 11. Serial number changes In 2021, Apple will update the format of serial numbers for products to a randomized alphanumeric string of 10 characters.Any currently shipping Apple products will retain their current serial number format, and new products may use the updated serial number format.This should have no adverse effects on any supported Workspace ONE UEM environment. Certificate trust changes macOS 11 requires confirmation with an administrator password when changes are being made to certificate trust settings in the administrator domain. Simply making the changes as the root user is no longer sufficient to modify certificate trust.If an administrator needs to install a root certificate when an end user can’t supply an administrator password, the administrator must deploy the root certificate using a configuration profile with the certificate payload. Configuration profile updates Below is the list of all profile updates coming to macOS 11 Big Sur. All features are available for supervised and unsupervised devices unless otherwise specified. PayloadFeatureDescriptionLink to XMLSoftware UpdateDefer software updatesDefer macOS updates, including supplemental and security updates. Requires supervision. Coming soon!Wi-FiPrevent MAC address randomizationMAC address randomization can now be disabled when associating with a Wi-Fi network. Coming soon!DNS Settings (NEW!)Configure encrypted DNS settingsSpecify the DNS encryption behavior for specific servers by their IPv4/IPv6 address, hostname, URI, or domains. Coming soon!Associated DomainsEnable Direct DownloadsThis setting specifies if data for this domain should be downloaded directly instead of through a CDN. The entitlement value for this domain must be set to service:domain?mode=managed or it will be ignored.Coming soon!File Provider Settings (NEW!)File Provider SettingsThis new profile payload will have one setting to enable file providers access to the path of a requesting process.Coming Soon!Setup AssistantSkip Setup Assistant panesSkip certain Setup Assistant panes after an OS update. This is similar to the Automated Device Enrollment (formerly DEP) profile, and is used to skip Setup Assistant screens during the initial onboarding.Coming soon!SCEP4096 key sizesKey size can now be 4096 bits. Coming soon! Apple Business Manager SCIM Integration Last year, Apple provided SAML based federation to Azure AD for authentication for users signing into Apple services such as during User Enrollment and Shared iPad for Business. This generated a just-in-time Managed Apple ID using the UPN of the user in Azure AD and other user attributes. However, if any of this information changed in Azure AD or the user leaves the organization, these changes did not reflect in Apple Business Manager. Also, if any setup is required for a user’s Managed Apple ID prior to their first sign in, there was no way to achieve this. In Apple Business Manager this fall, admins can set up Secure Cross-domain Identity Management (SCIM) with Azure AD. This synchronizes account information for users up front, so any additions, deletions or updates are recognized by Apple Business Manager (and other Apple services). All authentication will still be federated to Azure AD using the users corporate credentials. All of this setup and integration will take place in Apple Business Manager exclusively. No changes are needed in Workspace ONE UEM.
Resources WWDC 2020 Leverage enterprise identity and authentication - https://developer.apple.com/videos/play/wwdc2020/10139/WWDC 2020 What's new in managing Apple devices - https://developer.apple.com/videos/play/wwdc2020/10639/Apple Developer Documentation - https://developer.apple.com/documentation/devicemanagementEUC Blog - https://blogs.vmware.com/euc/2020/07/apple-enterprise-wwdc-2020.htmlVMware Technology Network Apple subspace - https://communities.vmware.com/community/vmtn/workspace/apple-platform-workspace-one-uemDisclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.