New MDM Features Coming in iOS 13 & macOS Catalina 10.15

With the advent of the Apple Worldwide Developer Conference (WWDC), Apple has made public the changes coming in both the latest release of iOS 13 and macOS 10.15 (named “Catalina”). As information is still incomplete and, at times, unspecific, we will be updating this page as we learn more.

An additional note: Though Apple has branched iPadOS off of iOS, for brevity this document uses “iOS” as the OS for iPhone, iPad, and iPod Touch.

DEP: User Account Setup, SAML Auth

The MDM protocol, in conjunction with the Device Enrollment Program (DEP) has supported configuration options around the initial macOS user setup process for some time. As an example, an admin can decide whether an account can be created interactively by the user. Or whether it receives an administrator or standard user permissions.

Starting with macOS Catalina, MDM can specify the primary account name and username, as well as whether the user is allowed to change it or not. This is a helpful feature for environments that have standardized username formats.

Additionally, devices can now authenticate against a third-party identity provider (IdP) using a protocol such as SAML.

Bootstrap Tokens

The MDM protocol has been expanded to support setting and retrieving bootstrap tokens for a macOS device. Bootstrap tokens enable mobile accounts to sign in on Macs that are utilizing FileVault. In previous versions of macOS, administrators often needed to build complicated workflows for their users in order to avoid restrictions related to the SecureToken mechanism.

Optionally, the device can be instructed to require a network tether (assumed to be an ethernet connection provided through a dongle connection) in order to complete these operations.

User Enrollment

iOS introduces a new management concept referred to as “User Enrollment“. This mode is intended for bring-your-own-device (BYOD) deployments and shifts the usual balance of IT control and user privacy towards the user.

User enrollment relies on the use of Managed Apple IDs. A Managed Apple ID is associated with a device during enrollment. Configurations, apps, and actions that are delivered by MDM are cordoned off from personal data. This protects the privacy of the user while still allowing an organization to use MDM to manage work-related functions on the device.

macOS will include limited support of Managed Apple IDs for the sake of providing the user with access to cloud-based content.

More information is available in our article What is Apple’s “User Enrollment”?.

SecureBoot, Remote Desktop Info

The MDM protocol provides informational data about devices such as battery level, current OS version, and whether a device is supervised or not. Starting with iOS 13 and macOS 10.15, two new keys are returned: The secure boot level and the external boot level.

Additionally, the device will state whether a remote desktop is enabled.

macOS Activation Lock

Like in iOS, macOS will now include activation lock functionality when running on computers with the Apple T2 security chip. An MDM will be able to retrieve and clear a bypass code.

Enterprise eSIM Cellular Plan Updates

Using MDM, administrators will be able to trigger the device to refresh its eSIM plan with a carrier.

Profiles

A number of new configuration profiles and additions to existing profiles can be found in iOS 10.14 and macOS 10.15.

SSO Related

Apple has added profiles that allow for additional SSO configurations in both iOS and macOS. These profiles associate certain domains, apps, and operations with an SSO provider. The SSO provider is specified as an app, plugin, or URL.

A feature called Associated Domains in macOS allows administrators to link an app to a service such as extensible app SSO, universal links, or password autofill.

App Lock

iOS app lock can now enable or disable voice control functionality, as well as disallow the user from changing the setting.

Certificates

Certificates can now be designated as not extractable from the keychain.

Exchange ActiveSync

An administrator can selectively enable or disable the calendars, contacts, mail, notes, and reminders portions of the account, as well as whether the user is able to override these settings. ActiveSync now supports OAuth as well.

Content Caching

For macOS, an administrator can disable the user’s ability to delete the cache, whether alerts are displayed, and whether the cache is “kept awake”.

Network Policy

For iOS, the device can be restricted to only allow usage of a specified list of SIM cards (based on ICCID).

One of three WiFi Assist policies can also be specified. WiFi Assist is the iOS feature that determines when the cellular network is used in lieu of an available WiFi network due to poor WiFi coverage or service.

WiFi

The wireless network configuration now allows for explicit configuration of WPA3 networks.

Privacy Preferences (TCC)

Privacy preferences in macOS are being expanded to support a number of new privacy keys, including:

File Providers

Event Lists

Input Devices (like a trackpad or keyboard)

Media Library

Screen Capture

Speech Recognition

System Policy: Desktop Folder

System Policy: Documents Folder

System Policy: Downloads Folder

System Policy: Network Volumes

System Policy: Removable Volumes

Restrictions

The restrictions profile has added a number of keys that the administrator can disable. These keys are for iOS supervised devices (with the exception of “Device Sleep”):

Continuous Path Keyboard

Device Sleep: Specifically for tvOS, keep the device from sleeping

Find My Device: Remove the feature from the “Find My” app

Find My Friends

WiFi On/Off (referred to in other places as “power modification”)

Software Update

Administrators can now force macOS devices to automatically install macOS updates and app updates, when available.

Dock

In macOS, three dock configuration options have been added:

Double click behavior: Maximize, minimize, or do nothing

Window tabbing: Manual, always, or fullscreen

Show recents: disallow modification of recently used items

VPN

VPN configuration options have been expanded to include a number of new settings, allowing administrators to specify whether local networks and/or all networks are tunneled over the VPN. VPN traffic can also be tunneled at the packet or higher-level application layer.

Further configuration options have been added around certificate settings for certain VPN connection types.

Web Content Filter

The web content filter configuration now includes settings for a filter data provider. This appears to be for both macOS and iOS.