Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
WWDC has come and gone once again, and there are a number of key updates coming to the IT world this fall. One note before we begin: now is the time to test your device workflows, apps, etc. Bugs that are reported early in the beta process are the ones that get fixed.
With macOS 27 and iOS 27, the transition to declarative device management is no longer a forward-looking roadmap notice from Apple. It’s the standard. By moving legacy configurations into the declarative model and introducing powerful new native controls, Apple is giving IT departments the tools to keep Apple the best vendor for IT endpoints.
About Apple @ Work: Bradley Chambers has been an Apple IT admin since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise grade WiFi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, share stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
The end of the legacy profile
The most significant IT announcement is the migration of legacy configurations into DDM. Using the new ProfileAssetReference key, IT teams can now wrap legacy configuration profiles within the declarative model. There is a critical thing to know, though: system processes are now enforcing TLS 1.2+ requirements for device management services. If a device management vendor isn’t updated to meet these standards, essential management tasks like enrollment, profile installation, and software updates will simply fail. This is the first thing every admin needs to audit as soon as possible.
Additionally, devices running the new operating systems will no longer restore device management information from a backup. Instead, they will automatically run through Automated Device Enrollment after the restore is complete, ensuring the device receives the current management state rather than a stale configuration. This alone will save help desks countless hours of troubleshooting.
Software updates and Apple Intelligence
Apple officially killed legacy software update management. Software update commands and queries no longer function in the new operating system releases. IT teams are now absolutely forced to use declarative software update management to configure and enforce updates.
Apple is also moving the management of on-device intelligent systems entirely to declarative configurations. IT teams can get granular control to allow or deny device-wide Apple Intelligence features, including Genmoji, Image Playground, and Writing Tools. If you do not want these features running in your environment, you finally have a supported way to shut them down.
Endpoint Security and privacy
In macOS 27, Apple is providing an enterprise-grade solution for app execution. Using the existing (and reliable) Endpoint Security framework, administrators can now deploy declarative rules to allow or deny the execution of specific app binaries. This is a massive win for security compliance, especially for organizations that need to prevent the execution of unapproved command-line tools or non-managed binaries.
To combat prompt overload on the user side (this has been a real problem), Apple is introducing a new consolidated privacy consent prompt that appears when an app is launched for the first time. IT administrators can provide a custom justification string and recommend default privacy settings, making users much more likely to make the correct choice when granting permissions.
Identity management and onboarding
Identity management is getting some attention this fall. Platform SSO is evolving to support web-based authentication flows directly at the login window. This brings full support for modern MFA, custom identity provider flows, and QR code logins. In shared device environments, this solves the friction of authentication while allowing IT to mandate a second factor via Touch ID for both the login of the device and FileVault unlock.
For onboarding, IT teams now have direct control over Mac-to-Mac data migrations during Setup Assistant. Administrators can specify exactly which subfolders and files are required for migration, taking decision-making completely out of the end user’s hands. Return to Service also got major enhancements, most notably the ability to set the device language and region directly in the Automated Device Enrollment profile and to enforce a mandatory software update on a supervised device when it receives the erase command.
Device health monitoring
The Status Channel is evolving to a proactive device health monitor. Managed devices can now report the status of hardware components like the camera, Face ID, etc., directly to your device management server. When things do go wrong, the new TriggerEnhancedLogCollection command lets IT teams turn on remote log collection on supervised devices to dig deeper into the problem.
Volume licensing for app subscriptions
The addition of a volume licensing mechanism for app subscriptions is exciting, as it finally brings the SaaS-heavy world of modern software distribution into the same streamlined management workflows that have long existed for standard volume purchase program distribution. Apple never did ship volume licensing for traditional IAP, so I am glad to see them address it for subscriptions. From a procurement standpoint, this is a huge win for smaller SaaS vendors.
Wrap up
Apple Business was announced earlier this year, and it’s expanding to over 200 countries and regions. This was a huge update Apple could have saved for WWDC as well. Overall, there are many nice enhancements this year. DDM is the standard, and Apple is improving remote IT support with new tools as well.
As always, watch the video or read up on all the technical details.
Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
FTC: We use income earning auto affiliate links. More.
