🇵🇱 Przejdź do polskiej wersji tego wpisu / Go to polish version of this post

June in the calendar of every IT admin who manages a fleet of Apple devices is a special month. A time when coffee tastes somehow different, and on one of the monitors, the WWDC stream is running all day long. Every year we hope for innovations that will make our lives easier, patch annoying gaps, and let us sleep more peacefully. Sometimes we get minor improvements, and sometimes… well, sometimes Apple serves us a real feast.

And I have the impression that this year the table is exceptionally lavishly set. Engineers from Cupertino took our requests to heart (and probably thousands of support tickets) and delivered features we’ve been waiting for years. I’m talking about specific, meaty solutions that will really change our daily work.

The Holy Grail of Admins: Device Migration Between MDM Servers!

Let’s start with a feature I’ve been waiting for… forever. Anyone who has ever had to move a fleet of hundreds or thousands of iPhones or Macs from one MDM system to another knows what a nightmare it is. Until now, the only 100% effective method was „Wipe & Re-enroll,” which means… wiping the device to factory settings and re-enrolling it in the new system.

In practice, this meant a gigantic logistical operation, hundreds of calls from angry users whose „vacation photos disappeared” (despite a hundred backups and a thousand emails with instructions), and long weeks of work. This was the biggest barrier preventing companies from changing MDM providers, even if the current one didn’t suit them.

And now? Apple says: „Hold my beer” ????

With iOS 18.xx, iPadOS 18.xx, and macOS 15.xx, we’re getting a built-in, official device migration mechanism between MDM servers. No more guerrilla tactics! How does it work?

1. Initiation from MDM: An administrator in their old MDM system will be able to „push” a migration command to the new server onto the device.
2. Setting a Deadline: We can set a deadline by which the user should accept the migration. No more excuses that „there was no time to click.”
3. User Notifications: A clear notification about the need for migration and the final deadline will appear on the device.
4. Data Preservation! And this is the absolute hit. On iPhones and iPads, if the new MDM server manages to deliver applications before the process completes, the device will retain those applications and their data! This is a colossal change that will save time and nerves for both us and users. In the case of Macs, the migration must be authorized by the logged-in user.
5. Forcing Migration: If the user ignores all requests, the organization can force the migration, which on iPhone/iPad will result in a restart, and on Mac will display a non-closable window.

This is a fundamental change. For companies that have been stuck with one MDM provider until now, new doors are opening. Imagine how simple it becomes to switch, for example, to a Polish system like Proget MDM or TechStep Essentials MDM, which often offer great local support and competitive conditions, for example in the offerings of operators such as Plus. Until now, the vision of manual migration blocked you? This problem is now disappearing.

No More Clicking! New „Services API” for Apple Business/School Manager

Apple Business Manager (ABM) and Apple School Manager (ASM) are the foundation of Apple device management in businesses and education. This is where we assign new devices to our MDM server. However, until now, many operations required manual login and „clicking” in the web portal. At large scale, this is simply inconvenient.

Now Apple will provide Services API. What does this mean for us? The ability to automate!

Instead of manually logging into ABM to check order status or assign a hundred new Macs to the MDM server, we’ll be able to assign this task directly from our management system. MDMs such as Microsoft Intune, Essentials MDM, Proget or Jamf will be able (and will certainly do so – right??) to integrate with this API to give us, admins, new superpowers.

Imagine a scenario: The purchasing department orders 100 new iPhones from an operator. Serial numbers go into the system. Our MDM, integrated with the API, automatically queries ABM whether the devices are already available. As soon as they appear, it automatically assigns them to the appropriate MDM server and applies initial configuration. Before the courier delivers the package to the office, the devices are already ready to work.

This is the future of management – proactive and automated.

„Tap and Enter,” or ID Card in iPhone (Almost)

Another revelation concerns identity and login. Apple is strongly developing Platform Single Sign-On (SSO), a mechanism that allows using one account (e.g., corporate from Microsoft Entra ID/Azure AD) to log in everywhere – to applications, websites, and even to the Mac computer itself.

Now they’re going a step further with the „Tap to Login” feature. No more typing long and complicated passwords to unlock your Mac! Users will be able to simply bring their work iPhone or Apple Watch close to the computer to log in. This will work based on Access Keys, which can be securely delivered to the phone. This is not only convenience but also a huge leap in security – we’re eliminating the weakest link, which is passwords.

For environments where one computer is used by multiple people (schools, stores, hospitals), Apple is introducing „Authenticated Guest Mode”. Thanks to an external NFC reader, an employee will be able to touch their employee card to a reader connected to a Mac, and the system will log them into a temporary, managed account with appropriate permissions. After logging out, all data disappears. Simple, secure, and brilliant for shared workstations. The hot-desking concept is being taken to a new level.

Declarative Management Enters the Mainstream and Takes Command

We’ve been talking about Declarative Device Management (DDM) for several years now, but now Apple is putting all its eggs in one basket. The old management model, based on sending individual commands, is becoming obsolete.

To understand this well, let’s use an analogy.

• Old MDM model (reactive): You were like a micromanager. You told the device: „Install application X”. You waited for confirmation. Then: „Set password”. You waited. „Block camera”. You waited. Constant polling and sending commands.
• New DDM model (declarative): You’re like a smart boss. You tell the device: „Your task is to be in this state: you should have iOS 18.2, installed applications X, Y, Z, firewall enabled, and App Store access blocked. Report when you’re done and inform me if anything changes”. The device itself, autonomously strives to achieve this state and reports only when necessary.

This is much more efficient and reliable. Apple officially announced that the old update management mechanism will be phased out in the future. All management is moving to DDM, including new Safari browser configuration options (bookmarks, homepage) or managing innovations related to Apple Intelligence (e.g., blocking ChatGPT integration in system tools).

A Handful of Tasty Additions That Will Make Our Lives Easier

Besides these major topics, we also got a mass of smaller but very useful improvements:

• Blocking and hiding applications: Finally! We’ll be able to lock a specific application (e.g., system) using Face ID / Touch ID / passcode or completely hide it from the user.
• Disabling Activation Lock from ABM/ASM: Another gigantic „pain point” solved. If an employee leaves the company and forgets to log out their private Apple ID from the device, until now recovering the equipment was a path through torment. Now the admin will be able to remove this lock directly from the ABM portal. Hallelujah!
• Improved eSIM management: New restrictions will allow, among other things, blocking the user’s ability to independently remove the work eSIM.
• New „Passwords” app: Apple has finally created a dedicated password management application that syncs between iOS, macOS, and even Windows.

Summary

This year’s WWDC wasn’t evolution. It was a small revolution in the world of Apple device management. Features like MDM migration or disabling Activation Lock from the portal are game-changers that will take off a mass of tedious and frustrating work from us administrators. Better identity management and commitment to the declarative model is a clear signal of where Apple is heading: toward greater automation, security, and scalability.

Personally, I’m most excited about painless migration, because it opens the field to choosing the really best MDM system for a given organization, without historical burdens. We have a busy autumn full of tests ahead of us, but I already know that our work will become much simpler. And that’s what this is all about!

Source: Apple WWDC 2024 Session: „What’s new in Apple device management and identity„

Until next time!

Puść ten artykuł w świat

XLinkedInMastodonFacebookWhatsAppFollow.itMessengerUdostępnij

×

Otrzymuj nowe artykuły na swój e-mail

Podając swój adres e-mail wyrażasz zgodę na przetwarzanie Twoich danych przez serwis follow.it. Zapoznaj się z Regulaminem oraz Polityką Prywatności serwisu.