A Primer on iOS Management and What's Changing

Editor's Notes

• #2: Hello everyone. Welcome to the Unified Endpoint Management (UEM) Webinar Series A Primer on iOS Management. What’s New in iOS15 In this webinar, we’re going to learn more about key features in iOS15 announced back in June.
• #3: My name is Kate Kim, Sr. Product Marketing Manager for UEM at Ivanti I’ll be your host today.
• #4: Please allow me to introduce my speaker – Aruna Kureti, she is a Director of UEM Product Management at Ivanti.
• #5: I feel very fortunate having two speakers on this webinar. Rafael Kobylinski General Manager of incapptic Connect will walk us through New Code Signature Format coming with iOS 15.
• #6: I’ve put together a few agenda items for you today. We’re going to deep dive What’s New in iOS15 User Enrollment Model Followed by Additional Resources and Q & A
• #7: We are very excited to talk about iOS15. if you recall, Apple made a notable announcement over WWDC21 in June, including lots of upgrades on iOS 15, the new macOS Monterey, with significant improvements and much more.  We’re going to focus on important features to our enterprise customers throughout this webinar. Welcome Aruna, thanks for joining. Looking forward to your insight on What’s New in iOS15. Floor is all yours.
• #8: Hello again!! I am here to talk about iOS15 new features and upgrades that we are most excited about: Required App on Unsupervised Device: Admin can push one managed app on unsupervised device and ensure that app cannot be removed Redesigned Notifications: Apple announced new changes coming to notifications on iPhone, including a completely redesigned interface and a new way to summarize notifications based on activities. Notifications have been redesigned, adding contact photos for people and larger icons for apps that make them even easier to identify. To help reduce distraction, a new notification summary collects non-time-critical notifications for delivery at a more opportune time, such as in the morning and evening. Using on-device intelligence, notifications are arranged by priority, with the most relevant notifications rising to the top, and based on a user’s interactions with apps. Urgent messages will be delivered immediately, so important communications will not end up in the summary, and it’s easy to temporarily mute any app or messaging thread for the next hour or for the day Require Managed Pasteboard: Controls if paste is affected with managed open in rules - If restriction is imposed then user will see Paste not allowed notification while trying to paste the content Account Driven User Enrollment: In New version, before the user can request their enrollment profile, admin can require authentication against an onboard MDM service, or against your IdP, and then only let them download their MDM Enrollment profile. At that point, they have to sign in with their Managed AppleID. Declarative Management: Allow MDM servers to describe the correct configuration to the device, and letting the device handle the implementation.(Applicable for User Enrollment currently) Apps and Books Improvements: Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner Inclusive Changes: Rename White list to allow list, Black List to Deny list And more importantly we want to share information on New Code Signature Format – and my colleague Rafeal will talk through it
• #9: Description: On unsupervised devices, MDM can install a single “required” app without prompting for user permission. This is installed as part of the initial MDM profile. Consent to install the app is included during the profile installation. This is useful for installing an application that is necessary for business functions and/or management, such as MDM service’s agent application. (Ex: Install Mobile@Work or GoClient)
• #10: Redesigned Notifications: Apple announced new changes coming to notifications on iPhone, including a completely redesigned interface and a new way to summarize notifications based on activities. Notifications have been redesigned, adding contact photos for people and larger icons for apps that make them even easier to identify.  To help reduce distraction, a new notification summary collects non-time-critical notifications for delivery at a more opportune time, such as in the morning and evening. Using on-device intelligence, notifications are arranged by priority, with the most relevant notifications rising to the top, and based on a user’s interactions with apps.  Urgent messages will be delivered immediately, so important communications will not end up in the summary,  and it’s easy to temporarily mute any app or messaging thread for the next hour or for the day For the supervised devices you can still use the existing Notification settings to control the display of notifications
• #11: Apple provides Managed Open-In settings within the Restrictions profile. These settings allow you to prevent data and content within managed apps from being moved to unmanaged apps, and vice versa. With Managed Pasteboard settings, Apple provides you with the ability to apply the same restrictions to the copy and paste functionality, meaning that information copied from corporate apps cannot be pasted in unmanaged apps and/or the reverse.  If restriction is imposed, then user will see Paste not allowed notification while trying to paste the content. If the organization name needs to be changed on the notification, then admins can use Organization info settings command 
• #12: In New version, before the user can request their enrollment profile, Admin can require authentication against an onboard MDM service, or against your IdP, and only then let them download their MDM Enrollment profile. Users have to sign in with their Managed AppleID.  Now they will be layer of security during the enrollment flow where your MDM server can verify user before the MDM profile is even downloaded to the device and before any organization data is sent to it.  I will talk about this feature in detail in few mins
• #13: As per Apple, MDM protocol we use today is “imperative and reactive,” meaning it’s very server-centric: An MDM solution can download profiles and software agents to managed devices, but the control resides in the MDM server that tells those profiles and agents what to do. That model works fine, but it’s got some limitations: Management workflows can have time lags because they rely on back and forth  communications between managed devices and the server. When you’re managing a large number of devices, those communications can become even more of a bottleneck. What declarative MDM do is to bring responsibility for the management and implementation of policies down to the devices themselves. It will allow devices to be more autonomous—making decisions for themselves, and lighten the load on servers and communications channels. Devices will be able to react to their changes in state and implement management decisions by themselves. 
• #14: Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner Realtime Notifications Receive Notifications for state changes for assignments, assets and registered users Remove the need for continually syncying state Asyncronous Processing – In the initial version of API all management was performed syncronously. Asyncronous processing enables server enforced Parallelism on Apple's end. This results in processing optimization which leads to large request being fulfilled more quickly. Order processing reduces the amount of intermittent failures and subsequent re-tires due to your specific request pattterns. This ultimately leads to stress free large deployments.  Server Enforced Parallelism  Order processing Stress-free large deployments
• #15: Users can now see their managed account, VPN and the profiles installed in the device at one place in settings.  This helps the user to gain a complete understanding of how their device is managed. 
• #19: The onboarding for user enrollment in iOS devices used to be initiated and controlled by an MDM enrollment profile. The new user enrollment establishes the organization’s identity as the entry point. An additional layer of security is established during the enrollment flow. The MDM server can now verify the user even before the MDM profile is downloaded to the device. Lets see how does it work.  
• #20: Managed Apple ID:  When device is userEnrolled, the account is shown on top level settings. From there user can view details and settings for iCloud. With this settings reflect the clear separation of content for company owned and personal content. New in iOS15 and macOS Monterey, Managed Apple ID supports iCloud Drive. iCloud drive is an important feature of iCloud account and will be available to UserEnrolled devices. On iOS and iPadOS it shows in the new location in Files App and on macOS additional location in Finder. With iCloud Drive for managed Apple IDs organizations can now easily provide the user a built in cloud storage solution. Document Browser based apps will also have access to additonal icloud drive and offcourse icloud Drive will respect managed Openin restrictions for managed apps and data access.  Managed Apps on macOS: In MacOS Montery the managed Apps functionality is expanded to User Enrollment. Like iOS App Data is separated on a different volume and Managed Apps/data can be removed with unenrollment or MDM command. And when that happens the container is also erased.  Best Practice/recommendations from Apple to enhance user experience - Use data protection keychain and App sandbox to ensure data is stored on the enterprise volume/correctly separated.  Onboarding: Personalized and user driven experience. Onboarding experience in iOS 13 is initieated and driven for MDM profile. The profile has to be created per user and distributed by admin. In iOS15 for more streamlined experience for user and admins, the new User Enrollment Onboarding flow is created to establishes users organization Identity as entry points. User are already aware of sighnign into their organizations identity to setup services like mail and calendar so they are familiar with MDM setup using their organization identity. This onboarding flow enables new security features for user Enrollment. Now they will be layer of security during the enrollment flow where your MDM server can verify user before the MDM profile is even downloaded to the device and before any organization data is sent to it. There are four components to UserEnrollment Onboarding flow. Service Discovery - Device identifies the organization's MDM server. User Authentication - How MDM server validates the user Session Token - Issuing session token which is how ongoing authentication is performed. Enrollment - Installation of MDM payload to the device Details - When user starts the onboarding flow, they are prompted to enter the organization idenifier. This identifier has two main pieces. Fisrt piece is user ID and the second piece is organization domain or subdomain. After user has entered the organization ID, the device takes the domain portion of the identifier and turns that into https URL pointing to a well know http resource at that domain. This discover URL is where you host the your MDM server document that tells the device where the enrollment endpoint is. The device then performs the get request to the URL expecting to get back a Jason document. The received Json object includes a version key to let the device know what type of enrollment the server supports and a base URL key that specifies the URL of MDM servers enrollment endpoint. With this information the device is readyt o request the MDM enrollment profile from the server. The device posts a property list to the servers enrollment endpoint with various device attributes.  Ongoing Authentication: With New User Enrollment in iOS15 - Apple introduced the ability for organizations to re-authenticate user at anypoint in time. This makes it possible for the server client connection to be more secure than ever. MDM servers can validate autorization for every request from client and ask the user to re-authenticate their identity credentials at any point of time.This functionality is performed through the use of session token. If authentication fails then user will be prompted in Notifications to re-authenticate. Un-enroll - prior to iOS 15, profile based User enrollment treated HTTP 401 response from server as un-enroll command. With new User Enrollment - 401 respose will be used for re-authentication instead. To trigger un-enroll, admin can still use the existing mechanism of sending remove profile command for mdm enrollment profile. This will result in full MDM un-enroll including managed account, managed data, data separated volume that will be removed from the device. All Un-enroll behavior of profile based enrollments including user enrollment flow from iOS13, remain unchanged. 
• #21: 1. Setup and publish HTTP well known resource file for your enterprise domain  2. Integrate your MDM server with your IDP to perform user authentication during enrollment and take advantage of ongoing authentication for added security benefit  3. Create Managed Apple IDs or already created Apple IDs from ASM/ABM to populate assigned managed Apple ID key in your server's MDM payload.  4. Update your MDM payload to also include the Enrollment Mode key  5. Review Apple Documentation for iOS15 for any further details
• #22: HERE i’ve added a few links to learn more about WWDC21 announcement and there are over 200 sessions available to you We Ivanti also published a couple of blogs back in June and July so please go ahead and read them as tohow Ivanti can leverage the new OS features and support in our UEM platform
• #23: Q1. Will the Declarative MDM be supported right away? Q2. Will I see significant change in the current MDM solution with Declarative MDM? Q3.  Will Apple or MDM Solution provider will setup and publish HTTP well known resource file for the enterprise domain?