What's New in Apple Device Management
Transcript of What's New in Apple Device Management
© 2016 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.
Distribution #WWDC16
Session 303
What’s New in Apple Device Management
Todd Fernandez Senior Manager, Device Management & Server
WWDC 2016
Back To School
Configure
Devices
Order
DevicesBuy
Apps
Evaluate Tools
iOS 9.3
Spring 2016
Spring 2016
Apple School Manager
“Apple School Manager will save our tech staff lots of time—we can manage devices, content, and our student accounts all from one place.”
Patrick ScanlanSupervisor of Technology & Information ServicesSan Jose Unified School District
Shared iPad
“Shared iPad will allow our district to transform a cart of shared devices intoa personalized learning experience for each student.”
Eric CulpepperTechnology Support SpecialistGoose Creek CISD
Classroom
“Classroom has been an extremely useful tool throughout the school day … to enhance the Project Based Learning that is going on in my classroom. Classroom helps me to keep all my students accountable for their work, while also keeping them extremely engaged in their assignments.”
Ryan Garcia-GananFourth Grade TeacherSan Jose Unified School District
Spring 2016
Getting Started Distribution ToolsManagement
Getting Started
Getting Started
Apple deployment programsApple School ManagerManaged Apple IDEnrollmentShared iPad
EnterpriseGetting Started
Apple deployment programsDevice Enrollment Program (DEP)Volume Purchase Program (VPP)Many new settings and commands
Apple School ManagerGetting Started
PeopleDevicesContent
PeopleApple School Manager
Input• SIS integration• CSV upload
Managed Apple ID• Students• Teachers
Classes
Managed Apple IDApple School Manager
Admin accounts• Tiered administration• Roles and privileges
Student accounts• Required for Shared iPad• Passcode options• Disabled services
- Commerce, FaceTime, iMessage, iCloud Mail, …
APIApple School Manager
Roster ServiceUsers• Students• Teachers
Classes
API: TransitionApple School Manager
Check during syncs if token is now ASM type (API v3)Tell DEP you support API v3 by including in header
Customers do not need to download new tokens
API: Best practicesApple School Manager
Handle duplicate records from multiple sources (e.g., LDAP + API)• Allow admin to configure automatic policy
matching criteria• Allow admin to manually merge records
source_system_identifier corresponds to CSV “PersonNumber”• Field is mutable and not guaranteed to be
unique!
API: Best practicesApple School Manager
No delta API• SIS syncing only once per day• Don't automatically perform “full sync” more
than once per day• Consider throttling admin-initiated syncs
DevicesApple School Manager
Device Enrollment Program• Find purchases• Configure MDM servers• Assign devices to MDM servers
ContentApple School Manager
Volume Purchase ProgramiTunes U
Enrollment optimizationSecurity best practicesConfigure Setup AssistantMDMServiceConfigShared iPad
EnrollmentGetting Started
Enrollment optimizationEnrollment
Enrollment optimizationEnrollment
MDM Server
Device Enrollment Program
iOS Device or Mac
Enrollment optimizationEnrollment
MDM Server
Device Enrollment Program
iOS Device or Mac
await_device_configured
1 DEP Settings
Enrollment optimizationEnrollment
MDM Server
Device Enrollment Program
iOS Device or Mac
await_device_configured
1 2DEP Settings
Enrollment optimizationEnrollment
MDM Server
Device Enrollment Program
iOS Device or Mac
await_device_configured
1 2DEP Settings
TokenUpdate (AwaitingConfiguration)
3
Enrollment optimizationEnrollment
MDM Server
Device Enrollment Program
iOS Device or Mac
await_device_configured
1 2DEP Settings
CommandsConfiguration Profiles 4
TokenUpdate (AwaitingConfiguration)
3
Enrollment optimizationEnrollment
MDM Server
Device Enrollment Program
iOS Device or Mac
Exit Setup Assistant
await_device_configured
1 2DEP Settings
CommandsConfiguration Profiles 4
DeviceConfigured 5
TokenUpdate (AwaitingConfiguration)
3
Enrollment optimization: Shared iPadEnrollment
Enrollment optimization: Shared iPadEnrollment
MDM Server Shared iPad
Enrollment optimization: Shared iPadEnrollment
MDM Server Shared iPad
1
User signs in
Enrollment optimization: Shared iPadEnrollment
MDM Server Shared iPad
1
2
User signs in
TokenUpdate
Enrollment optimization: Shared iPadEnrollment
MDM Server Shared iPad
1
2
User signs in
3Commands
Configuration Profiles TokenUpdate
Security best practicesEnrollment
iOS 9.3.2 no longer supports MD5DES deprecatediOS 10 adds AES support
SCEP servers need to support 3DES orAES as soon as possible
Configure Setup AssistantEnrollment
True Tone
Configure Setup AssistantEnrollment
Siri iCloud Desktop
NEW
Equivalent to VPP Storebag from iTunes StoreInforms tools what info they can obtain from your serverUnauthenticated HTTPS request at URI MDMServiceConfigUTF8 JSON-encoded hash• dep_enrollment_url • dep_anchor_certs_url • trust_profile_url
MDMServiceConfigDevice Enrollment Program
Equivalent to VPP Storebag from iTunes StoreInforms tools what info they can obtain from your serverUnauthenticated HTTPS request at URI MDMServiceConfigUTF8 JSON-encoded hash• dep_enrollment_url • dep_anchor_certs_url • trust_profile_url
Profile Manager has implementedConfigurator 2 now supports
MDMServiceConfigDevice Enrollment Program
Shared iPad
Shared iPad
Support multiple usersInstall appsPreserve user data
Multiple usersShared iPad
Requires Managed Apple ID to sign inSigns in to iCloud and iTunes
Installing appsShared iPad
Device assignedMDM vendors use PurchaseMethod 1All app types supported• App Store developers must allow device assignment
ArchitectureShared iPad
Student data truth in the cloud• Data is cached, but may be purged when needed• User data separation• Data will continue to upload after sign out if necessary
Apps should be education ready
Uploading Mia’s Data
Uploading Mia’s Data
Uploading Mia’s Data
Uploading Mia’s Data
Uploading Mia’s Data
Uploading Mia’s Data
Downloading Gabriel’s Data
Uploading Mia’s Data
Support in MDM serversShared iPad
New DEP setting to enableUse Enrollment Optimization to set options beforestudent use• User quota• Lock screen grace period
User quotaShared iPad
User quotaShared iPad
Maximum numbers of users cached locally
User quotaShared iPad
Maximum numbers of users cached locallyStorage allocated to each user calculated automatically
User quotaShared iPad
Maximum numbers of users cached locallyStorage allocated to each user calculated automatically
User quotaShared iPad
Maximum numbers of users cached locallyStorage allocated to each user calculated automaticallyAfter limit reached, new user purges the cache of the LRU user
Maximum numbers of users cached locallyStorage allocated to each user calculated automaticallyAfter limit reached, new user purges the cache of the LRU user
User quotaShared iPad
Maximum numbers of users cached locallyStorage allocated to each user calculated automaticallyAfter limit reached, new user purges the cache of the LRU user
User quotaShared iPad
Lock screen grace periodShared iPad
Time after screen locks that devicewill prompt for user passcodeBefore time limit reached, student canwake device with just a swipe
User channelShared iPad
Allows MDM server to configure per-user settings• Similar to macOS• iOS devices running 9.3 and later don’t ignore it• Some payloads now supported
No user authentication on iOS• Never send sensitive information over user channel
- User channel enforces no credentials- Google OAuth supported, but without credentials
User channel: Supported payloadsShared iPad
Accounts, including Google OAuth accountNotificationsHome screen layoutManaged Domains: Safari autofill domainsRestrictions, including Show/Hide Apps
User channel: Restrictions payloadsShared iPad
Most restrictive winsCombined to compute effective restrictions• Just like multiple profiles
DemoShared iPad
David SteinbergDevice Management Engineer
Shared iPadDemo Recap
Classes preconfigured on login screenRecent usersSign in with Managed Apple ID and passcodeSign in choosing recent userApps show only current user’s dataDifferent users see different apps and home screen layout
Getting Started Distribution ToolsManagement
Distribution
Distribution
Managed Apple IDBooks for Shared iPadEnterprise Apps
Managed Apple ID associationVPP
Programmatically associate Managed Apple IDs for VPP
Requires DEP/ASM token and VPP tokens from same organization• Customer doesn’t need new tokens after transition to ASM• DEP and VPP use different tokens so could be different organizations
- Dedicated error code for this failure mode; try and fail
Requires MDM solution adopt APIImportant for iBooks Store books
Books for Shared iPadVPP
iBooks Store VPP books• Assigned to users• Cannot be distributed to devices• Shared iPad user must “download” in iBooks
- Downloaded only once per device
Non-iBooks Store books• PDF, IBA, EPUB• Device assigned
UPPsEnterprise Apps
Allow non-App Store app to run on device not defined in provisioning profileRequire trust and validationUser must explicitly trust apps from that signer to run on this device• Apps installed via MDM implicitly trusted
Apple must consider this UPP still valid• Periodic checks via online connection to validation server• MDM installed apps still require periodic validation• MDM can trigger validation for any app• Automatically validate any applications that it discovers are not validated
Getting Started Distribution ToolsManagement
Management
Management
Shubham KediaiOS Engineer
MDM commands and queriesWhat’s New in iOS 9.3
Settings now allows setting max users, diagnostic submission
User ListLogout userDelete User
MDM Lost Mode (including device location)MDM Activation Lock
Configuration profile payloadsWhat’s New in iOS 9.3
EducationNotificationsHome Screen LayoutLock Screen Message
Exchange, Mail: Allow Mail DropManaged Domains: Safari autofill passwordsVPN: Many new IKEv2 settingsRestrictions: Many new settings
Configuration profile payloads: RestrictionsWhat’s New in iOS 9.3
Apple MusicClassroom Screen ViewiCloud Photo LibraryiTunes RadioModify NotificationsShow/Hide Apps
Configuration profile payloads: EducationWhat’s New in iOS 9.3
StudentsTeachersClassesPhotos• URLs• Get required HTTPS
Used by Shared iPad login screen and ClassroomOnly one allowed per deviceStudent devices and teacher devices need different payloads
Configuration profile payloads: Per-user on Shared iPadWhat’s New in iOS 9.3
Five payloads can now apply per-user on Shared iPadAccounts• Google OAuth account
NotificationsHome screen layoutManaged Domains: Safari autofill domainsRestrictions• Show/Hide Apps
MDM commands and queriesWhat’s New in iOS 9.3.2
Enable/Disable App AnalyticsSet lock screen grace period
DeviceInformation returns App Analytics enabled/disabledSecurityInfo returns lock screen grace period
Automatic Assessment ConfigurationWhat’s New in iOS 9.3.2
Continues to work same way on supervised devicesNew entitlementAPI then disables five features while app is running:• Auto correction, Define, keyboard shortcuts, predictive keyboard, spell check
Safe escape behavior on unmanaged devices
Configuration profile restrictionsWhat’s New in iOS 9.3.2
Modify diagnostics submission
Configuration profile payloadsWhat’s New in iOS 10
Contacts, Exchange, Google, LDAP: Communication service rules for audioLock Screen Message: Updated key namesVPN: IKEv2 EAP only authentication method, timeout for IPSecVPN: PPTP has been removed from iOS 10• Existing payloads will not work
Wi-Fi: Captive bypassWi-Fi: Cisco fast lane QoS markingRestrictions: Modify Bluetooth
NEW
Configuration profile restrictionsDeprecations
App installationApp removalFaceTimeSafariiTunesExplicit contentiCloud documents and dataMultiplayer gamingAdd GameCenter Friends
Configuration profile restrictionsDeprecations
App installationApp removalFaceTimeSafariiTunesExplicit contentiCloud documents and dataMultiplayer gamingAdd GameCenter Friends
MDM commands and queriesWhat’s New in OS X 10.11.4
Install major update (DEP Macs)
Configuration profile payloadsWhat’s New in macOS Sierra
IP firewallRestrictions• Apple Music• iCloud keychain sync• iCloud Photo Library• Back to my Mac• Find My Mac• Sharing to Notes, Reminders, or LinkedIn
NEW
Getting Started Distribution ToolsManagement
Tools
Classroom
Assign Shared iPadLaunch appNavigate to locationAirPlay to Apple TVLock iPadView screen
DemoClassroom
Shruti GuptaDevice Management Engineer
ClassroomDemo Recap
Open appCreate and edit groupsLock to appView screenLock device
DEP and VPP SimulatorsTools
Simulate DEP and VPP servicesTest handling of service errors
Now supports all the new DEP and VPP features
Available for download on developer portalSupport new features
Getting Started Distribution ToolsManagement
AdministratorsSummary
Use Apple School Manager to manage people, devices, contentUse DEP (wireless) or Configurator (wired) to enroll devices in MDMUse Shared iPad with Managed Apple ID on shared devicesUse VPP Managed Distribution to distribute apps to devices or users
MDM developersSummary
Support VPP Managed Apple ID associationSupport new features in iOS 10 and macOS Sierra• Documentation available now
Test with DEP and VPP simulators
App developersSummary
Store data and preferences in cloudTest using app with two iPads
Related Sessions
Best Practices for Building Apps Used in Business and Education Nob Hill Wednesday 1:40PM
Labs
Education and Enterprise Deploymentand Development Lab
Graphics, Games, and Media Lab C Tuesday 1:30PM
Education and Enterprise Deploymentand Development Lab Fort Mason Wednesday 3:00PM
Education and Enterprise Deploymentand Development Lab Fort Mason Thursday 11:00AM
apple.com/education
apple.com/educationResources for Education
apple.com/education
developer.apple.com/enterpriseResources for Enterprise
developer.apple.com/enterprise
More Information
https://developer.apple.com/wwdc16/303