One of my favorite sessions at WWDC each year is the one around what’s new with Apple device management. This year, we got a first look at Apple’s next-generation MDM protocol called Declarative MDM. Apple has also provided several other enhancements to iOS and macOS to streamline the management of your Apple deployments.
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
Declarative MDM
Apple’s new MDM technology promises to make managing iPads, iPhones, and Macs in the enterprise and K–12 easier than ever. The current MDM protocol in use today is “imperative and reactive,” which means that it’s very server-centric. An MDM solution push profiles and software to managed devices, but the devices can not really think and act for themselves. This model has worked well for years, but it is a bit slow. New changes can have time lags because they rely on round-trip communications between the iOS/macOS/tvOS and the MDM server. If you’ve ever sat and waited on an iPad to receive a configuration change from the server, you know that this process can see slowdowns with no insight into why.
Table of contents
- Declarative MDM
- Apple Configurator for iPhone
- Erase all content and settings on macOS
- Wrap up
What Declarative MDM does is bring some of the responsibility for policy implementation down to the devices themselves, which should lighten the load on the MDM server in turn.
A practical example of this is if you push a new requirement to reset a login password to the device that requires a user to take action, once it’s done, the device can report that status right away back to the MDM server rather than waiting on the device to check in later (or force a check-in).
Apple Configurator for iPhone
It’s now going to be possible to load Macs not purchased directly from Apple or authorized reseller into your Apple Business Manager and Apple School Manager using just your iPhone It’s part of the new Apple Configurator app for iPhone. Once you sign into the app with a Managed Apple ID, you’ll be able to load a Mac into your ABM or ASM account during the setup process and avoid using Apple Configurator on the Mac.
Erase all content and settings on macOS
With macOS Monterey, Apple will make it easier to restore your Mac to factory settings. In the System Preferences application, a new “erase all contents and settings” option is similar to what we’ve had on iOS for years.
In the enterprise, this setting will make it easier to decommission a Mac and know that the data cannot be recovered. Here’s how Apple describes the new feature:
Wrap up
The new Declarative MDM technology sounds like it’s the retooling of the MDM protocol I’ve been hearing about for the past few years. It does sound like it’s going to speed up many of the tasks involved in it the devices sending and receiving data from the MDM.
System Preferences now offers an option to erase all user data and user-installed apps from the system while maintaining the operating system currently installed. Because storage is always encrypted on Mac systems with Apple silicon or the T2 chip, the system is instantly and securely “erased” by destroying the encryption keys.
Apple Configurator for iPhone is a very nice enhancement. It will be useful if you need to run to your local Best Buy or Apple Store to purchase a machine in the event of damage or an unexpected hire. In the past, you wouldn’t have been able to add it to your account with Apple, but now you will.
Overall, it looks like a very solid release from Apple on the enterprise management side. It sets the foundation for continued growth for Apple in the enterprise.