A Primer on iOS Management and What's Changing
•Download as PPTX, PDF•
0 likes•233 views
Ivanti UEM is fully integrated with our OS partners including iOS. We provide a seamless and native iOS user experience while also establishing the foundation for customer's zero-trust journey. Join us to learn how Ivanti UEM can help you fully manage iOS devices, capabilities and security features.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to A Primer on iOS Management and What's Changing
Similar to A Primer on iOS Management and What's Changing (20)
More from Ivanti
More from Ivanti (20)
Recently uploaded
Recently uploaded (20)
A Primer on iOS Management and What's Changing
- 1. 8/24/2021 A Primer on iOS Management − What’s New in iOS15 Unified Endpoint Management (UEM) Webinar Series
- 2. Copyright © 2021 Ivanti. All rights reserved. Kate Kim Sr. Product Marketing Manager - UEM Host Global Strategic Marketer with extensive product marketing and strategic alliance experience in Cybersecurity and Enterprise Mobility. Avid world traveler. Korea born Texan. Visited 6 continents and over 50 countries (and counting).
- 3. Copyright © 2021 Ivanti. All rights reserved. Aruna Kureti Director, UEM Product Management Speaker I have been working in technology last 20 years and at Ivanti, I manage mobile and desktop device management focused on Apple products. Love to travel and wish to cover world wonders.
- 4. Copyright © 2021 Ivanti. All rights reserved. Rafael Kobylinski General Manager, incapptic Connect Speaker Founder of incapptic Connect (now part of Ivanti), ex-Apple System Engineers Manager Enterprise & Education and Apple fanboy ever since. Loves teaching coding to elementary school kids with Swift Playgrounds.
- 5. Agenda What’s New in iOS15 User Enrollment Model Additional Resources Q & A
- 6. What’s New in iOS15
- 7. Copyright © 2021 Ivanti. All rights reserved. iOS15 Highlights Declarative Management Require Managed Pasteboard Required App on Unsupervised Device Account Driven User Enrollment Redesigned Notifications New Code Signature Format Apps and Books Improvements
- 8. Copyright © 2021 Ivanti. All rights reserved. • Admin can force install single required app • App Installation does not prompt for user permission E.g.: MDM service’s agent applications like Mobile@Work or GoClient can be installed which may be necessary for business functions and/or management No prompt required Required App on Unsupervised devices
- 9. Copyright © 2021 Ivanti. All rights reserved. • New look for notifications • Notifications Summary • Muting Notifications • Time Sensitive Notifications Can manage on supervised devices Re-designed Notifications
- 10. Copyright © 2021 Ivanti. All rights reserved. • New Restriction - Controls if paste is affected with managed open in rules - require managed pasteboard • System App - Calendar, Notes, Mail, Files will honor the restriction and all other 3rd party apps require no changes • As usual Apps installed by MDM will be treated as Managed and Apps installed my user will be treated as unmanaged • If restriction is imposed, then user will see Paste not allowed notification while trying to paste the content. If the organization name needs to be changed on the notification, then use Organization info settings command Require Managed Pasteboard
- 11. Copyright © 2021 Ivanti. All rights reserved. • More streamlined experience for user and admins • Onboarding flow enables new security features for user Enrollment Account Driven User Enrollment
- 12. Copyright © 2021 Ivanti. All rights reserved. Allow MDM servers to describe the correct configuration to the device, and letting the device handle the implementation.(Applicable for User Enrollment currently) Declarative Management
- 13. Copyright © 2021 Ivanti. All rights reserved. ABM/ASM Apps & Books Improvements • Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner • Realtime Notifications • Asynchronous Processing
- 14. Copyright © 2021 Ivanti. All rights reserved. Managed Account Display • Users can now see their managed account, VPN and the profiles installed in the device at one place in settings. • This helps the user to gain a complete understanding of how their device is managed.
- 15. Copyright © 2021 Ivanti. All rights reserved. Inclusive Changes • Airplay - Whitelist -> Allowlist • Blacklist ->DenyList/Blocked • forceWifiWhitelisting ->forceWiFiToAllowedNetworksOnly • BlacklistedURLs-> DenyListURLs • WhilelistedBookmarks -> AllowListBookmarks QoSMarkingWhiltelistedAppIdentifiers -> QoSMarkingAllowedListAppIdentifiers
- 16. Copyright © 2021 Ivanti. All rights reserved. New Code Signature Format • Updated code signature format to strengthen security • Some enterprise apps might no longer launch on iOS 15 • App Store and TestFlight apps not affected • Ivanti's app publishing solution incapptic Connect supports new format starting with version 1.38.0: • new versions automatically compatible • old releases can be automatically re-signed • Manual and home-grown publishing solutions need to be adapted (guidance from Apple via Developer Forums and Apple DTS) • Make sure you test all your enterprise apps with iOS 15!
- 18. Copyright © 2021 Ivanti. All rights reserved. User Enrollment
- 19. Copyright © 2021 Ivanti. All rights reserved. User Enrollment • Managed Apple ID: In iOS15 Improved experience of accessing managed account in settings. • Account is shown on top level settings • iCloud Drive • Managed Apps on macOS: In MacOS Montery the managed Apps functionality is expanded to User Enrollement. • Onboarding: In iOS15 for more streamlined experience for user and admins, the new User Enrollment Onboarding flow is created to establishes users organization Identity as entry points. • Ongoing Authentication: With New User Enrollment in iOS15 - Apple introduced the ability for organizations to re-authenticate user at anypoint in time.
- 20. Copyright © 2021 Ivanti. All rights reserved. Get Started User Enrollment Onboarding and ongoing authentication is available with iOS15 Following are the 5 steps to get started: 1. Setup and publish 2. Integrate your MDM server 3. Create Managed Apple IDs 4. Update MDM payload 5. Review Apple Documentation
- 21. Copyright © 2021 Ivanti. All rights reserved. Additional Resources Apple WWDC21 Sessions - WWDC21 - Apple Developer Apple WWDC 2021 (ivanti.com)
- 22. Q & A
- 23. Copyright © 2021 Ivanti. All rights reserved. Thank You!
Editor's Notes
- Hello everyone. Welcome to the Unified Endpoint Management (UEM) Webinar Series A Primer on iOS Management. What’s New in iOS15 In this webinar, we’re going to learn more about key features in iOS15 announced back in June.
- My name is Kate Kim, Sr. Product Marketing Manager for UEM at Ivanti I’ll be your host today.
- Please allow me to introduce my speaker – Aruna Kureti, she is a Director of UEM Product Management at Ivanti.
- I feel very fortunate having two speakers on this webinar. Rafael Kobylinski General Manager of incapptic Connect will walk us through New Code Signature Format coming with iOS 15.
- I’ve put together a few agenda items for you today. We’re going to deep dive What’s New in iOS15 User Enrollment Model Followed by Additional Resources and Q & A
- We are very excited to talk about iOS15. if you recall, Apple made a notable announcement over WWDC21 in June, including lots of upgrades on iOS 15, the new macOS Monterey, with significant improvements and much more. We’re going to focus on important features to our enterprise customers throughout this webinar. Welcome Aruna, thanks for joining. Looking forward to your insight on What’s New in iOS15. Floor is all yours.
- Hello again!! I am here to talk about iOS15 new features and upgrades that we are most excited about: Required App on Unsupervised Device: Admin can push one managed app on unsupervised device and ensure that app cannot be removed Redesigned Notifications: Apple announced new changes coming to notifications on iPhone, including a completely redesigned interface and a new way to summarize notifications based on activities. Notifications have been redesigned, adding contact photos for people and larger icons for apps that make them even easier to identify. To help reduce distraction, a new notification summary collects non-time-critical notifications for delivery at a more opportune time, such as in the morning and evening. Using on-device intelligence, notifications are arranged by priority, with the most relevant notifications rising to the top, and based on a user’s interactions with apps. Urgent messages will be delivered immediately, so important communications will not end up in the summary, and it’s easy to temporarily mute any app or messaging thread for the next hour or for the day Require Managed Pasteboard: Controls if paste is affected with managed open in rules - If restriction is imposed then user will see Paste not allowed notification while trying to paste the content Account Driven User Enrollment: In New version, before the user can request their enrollment profile, admin can require authentication against an onboard MDM service, or against your IdP, and then only let them download their MDM Enrollment profile. At that point, they have to sign in with their Managed AppleID. Declarative Management: Allow MDM servers to describe the correct configuration to the device, and letting the device handle the implementation.(Applicable for User Enrollment currently) Apps and Books Improvements: Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner Inclusive Changes: Rename White list to allow list, Black List to Deny list And more importantly we want to share information on New Code Signature Format – and my colleague Rafeal will talk through it
- Description: On unsupervised devices, MDM can install a single “required” app without prompting for user permission. This is installed as part of the initial MDM profile. Consent to install the app is included during the profile installation. This is useful for installing an application that is necessary for business functions and/or management, such as MDM service’s agent application. (Ex: Install Mobile@Work or GoClient)
- Redesigned Notifications: Apple announced new changes coming to notifications on iPhone, including a completely redesigned interface and a new way to summarize notifications based on activities. Notifications have been redesigned, adding contact photos for people and larger icons for apps that make them even easier to identify. To help reduce distraction, a new notification summary collects non-time-critical notifications for delivery at a more opportune time, such as in the morning and evening. Using on-device intelligence, notifications are arranged by priority, with the most relevant notifications rising to the top, and based on a user’s interactions with apps. Urgent messages will be delivered immediately, so important communications will not end up in the summary, and it’s easy to temporarily mute any app or messaging thread for the next hour or for the day For the supervised devices you can still use the existing Notification settings to control the display of notifications
- Apple provides Managed Open-In settings within the Restrictions profile. These settings allow you to prevent data and content within managed apps from being moved to unmanaged apps, and vice versa. With Managed Pasteboard settings, Apple provides you with the ability to apply the same restrictions to the copy and paste functionality, meaning that information copied from corporate apps cannot be pasted in unmanaged apps and/or the reverse. If restriction is imposed, then user will see Paste not allowed notification while trying to paste the content. If the organization name needs to be changed on the notification, then admins can use Organization info settings command
- In New version, before the user can request their enrollment profile, Admin can require authentication against an onboard MDM service, or against your IdP, and only then let them download their MDM Enrollment profile. Users have to sign in with their Managed AppleID. Now they will be layer of security during the enrollment flow where your MDM server can verify user before the MDM profile is even downloaded to the device and before any organization data is sent to it. I will talk about this feature in detail in few mins
- As per Apple, MDM protocol we use today is “imperative and reactive,” meaning it’s very server-centric: An MDM solution can download profiles and software agents to managed devices, but the control resides in the MDM server that tells those profiles and agents what to do. That model works fine, but it’s got some limitations: Management workflows can have time lags because they rely on back and forth communications between managed devices and the server. When you’re managing a large number of devices, those communications can become even more of a bottleneck. What declarative MDM do is to bring responsibility for the management and implementation of policies down to the devices themselves. It will allow devices to be more autonomous—making decisions for themselves, and lighten the load on servers and communications channels. Devices will be able to react to their changes in state and implement management decisions by themselves.
- Apple announced a new set of APIs to allow MDM providers to deploy apps and books in a more efficient and scalable manner Realtime Notifications Receive Notifications for state changes for assignments, assets and registered users Remove the need for continually syncying state Asyncronous Processing – In the initial version of API all management was performed syncronously. Asyncronous processing enables server enforced Parallelism on Apple's end. This results in processing optimization which leads to large request being fulfilled more quickly. Order processing reduces the amount of intermittent failures and subsequent re-tires due to your specific request pattterns. This ultimately leads to stress free large deployments. Server Enforced Parallelism Order processing Stress-free large deployments
- Users can now see their managed account, VPN and the profiles installed in the device at one place in settings. This helps the user to gain a complete understanding of how their device is managed.
- The onboarding for user enrollment in iOS devices used to be initiated and controlled by an MDM enrollment profile. The new user enrollment establishes the organization’s identity as the entry point. An additional layer of security is established during the enrollment flow. The MDM server can now verify the user even before the MDM profile is downloaded to the device. Lets see how does it work.
- Managed Apple ID: When device is userEnrolled, the account is shown on top level settings. From there user can view details and settings for iCloud. With this settings reflect the clear separation of content for company owned and personal content. New in iOS15 and macOS Monterey, Managed Apple ID supports iCloud Drive. iCloud drive is an important feature of iCloud account and will be available to UserEnrolled devices. On iOS and iPadOS it shows in the new location in Files App and on macOS additional location in Finder. With iCloud Drive for managed Apple IDs organizations can now easily provide the user a built in cloud storage solution. Document Browser based apps will also have access to additonal icloud drive and offcourse icloud Drive will respect managed Openin restrictions for managed apps and data access. Managed Apps on macOS: In MacOS Montery the managed Apps functionality is expanded to User Enrollment. Like iOS App Data is separated on a different volume and Managed Apps/data can be removed with unenrollment or MDM command. And when that happens the container is also erased. Best Practice/recommendations from Apple to enhance user experience - Use data protection keychain and App sandbox to ensure data is stored on the enterprise volume/correctly separated. Onboarding: Personalized and user driven experience. Onboarding experience in iOS 13 is initieated and driven for MDM profile. The profile has to be created per user and distributed by admin. In iOS15 for more streamlined experience for user and admins, the new User Enrollment Onboarding flow is created to establishes users organization Identity as entry points. User are already aware of sighnign into their organizations identity to setup services like mail and calendar so they are familiar with MDM setup using their organization identity. This onboarding flow enables new security features for user Enrollment. Now they will be layer of security during the enrollment flow where your MDM server can verify user before the MDM profile is even downloaded to the device and before any organization data is sent to it. There are four components to UserEnrollment Onboarding flow. Service Discovery - Device identifies the organization's MDM server. User Authentication - How MDM server validates the user Session Token - Issuing session token which is how ongoing authentication is performed. Enrollment - Installation of MDM payload to the device Details - When user starts the onboarding flow, they are prompted to enter the organization idenifier. This identifier has two main pieces. Fisrt piece is user ID and the second piece is organization domain or subdomain. After user has entered the organization ID, the device takes the domain portion of the identifier and turns that into https URL pointing to a well know http resource at that domain. This discover URL is where you host the your MDM server document that tells the device where the enrollment endpoint is. The device then performs the get request to the URL expecting to get back a Jason document. The received Json object includes a version key to let the device know what type of enrollment the server supports and a base URL key that specifies the URL of MDM servers enrollment endpoint. With this information the device is readyt o request the MDM enrollment profile from the server. The device posts a property list to the servers enrollment endpoint with various device attributes. Ongoing Authentication: With New User Enrollment in iOS15 - Apple introduced the ability for organizations to re-authenticate user at anypoint in time. This makes it possible for the server client connection to be more secure than ever. MDM servers can validate autorization for every request from client and ask the user to re-authenticate their identity credentials at any point of time.This functionality is performed through the use of session token. If authentication fails then user will be prompted in Notifications to re-authenticate. Un-enroll - prior to iOS 15, profile based User enrollment treated HTTP 401 response from server as un-enroll command. With new User Enrollment - 401 respose will be used for re-authentication instead. To trigger un-enroll, admin can still use the existing mechanism of sending remove profile command for mdm enrollment profile. This will result in full MDM un-enroll including managed account, managed data, data separated volume that will be removed from the device. All Un-enroll behavior of profile based enrollments including user enrollment flow from iOS13, remain unchanged.
- 1. Setup and publish HTTP well known resource file for your enterprise domain 2. Integrate your MDM server with your IDP to perform user authentication during enrollment and take advantage of ongoing authentication for added security benefit 3. Create Managed Apple IDs or already created Apple IDs from ASM/ABM to populate assigned managed Apple ID key in your server's MDM payload. 4. Update your MDM payload to also include the Enrollment Mode key 5. Review Apple Documentation for iOS15 for any further details
- HERE i’ve added a few links to learn more about WWDC21 announcement and there are over 200 sessions available to you We Ivanti also published a couple of blogs back in June and July so please go ahead and read them as tohow Ivanti can leverage the new OS features and support in our UEM platform
- Q1. Will the Declarative MDM be supported right away? Q2. Will I see significant change in the current MDM solution with Declarative MDM? Q3. Will Apple or MDM Solution provider will setup and publish HTTP well known resource file for the enterprise domain?