What's New in Managing Apple Devices

Session 301 WWDC 2015

Learn about the latest developments in managing Apple devices in large organizations. Learn the latest techniques to wirelessly configure settings, monitor compliance with policies, install apps and bulk configure devices with ease.

TODD FERNANDEZ: Good morning and welcome to session 301.

I'm Todd Fernandez, and I manage Apple's device management tools engineering teams and help coordinate our efforts across the company to support deploying and managing Apple devices.

I'm excited to be here with you this morning to represent the many teams across Apple that have been hard at work since we last met and introduce what's new in managing Apple devices.

Apple's commitment to education and enterprise goes back to the beginning of the company.

Serving the needs of educators and students has been an important part of Apple throughout its history.

Today, there's a whole new world of devices and content available to teachers and students.

Technology can now be completely integrated, both inside and outside of the classroom.

But those devices and content are also critically important in the enterprise.

Though Apple's success in the enterprise today dwarfs any past successes, Apple's interest in fostering increased productivity and enterprise started a long time ago with the VisiCalc on the Apple II and continues through the myriad of solutions now based on iPhones, iPads, and Macs.

From the factory floor to the office.

So how can we make it even easier for schools and businesses to take full advantage of everything that the Apple ecosystem offers?

Since the introduction of iPhone and accelerating with iPad, Apple has created key technologies and services to enable schools and businesses to make the most of their devices.

This year we are building on that foundation with a special emphasis on shared device deployments.

Now, I need to take a moment for a brief aside here.

I likely will be referring to these two programs by their three-letter acronyms, DEP and VPP, throughout this presentation, but I owe marketing a dollar every time I call a Device Enrollment Program a dep. If I slip, don't give me away.

I appreciate it.

All these device management features really boil down to helping you spend less time with your devices looking like this and more time with your students and employees using them to do things like this.

Now, today we are going to cover the entire deployment process, highlighting all the new features in both OSs, the services and tools along the way.

The first step is to enroll your devices for remote management.

Of course, the best way to do that is using DEP, the Device Enrollment Program.

Before we jump into the new features, though, I want to take a moment to highlight two changes that have already taken place.

The first is that we've expanded from our initial launch in two countries.

The program is now available in 26 countries around the world.

And we've dramatically shortened the time it takes to get replacement devices into the program.

So that's great.

Now let's talk about what is new and coming this year.

The first feature I want to talk about is called Enrollment Optimization.

You might be thinking, what does that mean?

It's actually very simple.

This is a way for the MDM server managing the device to keep the device in Setup Assistant until it is fully configured.

This ensures that before a user can use the device, all the settings, accounts, and restrictions that the organization wants to have in place are actually in place.

So how does it work?

There's a new key that is part of the DEP settings that specifies that you want the device to wait until it's fully configured.

When the device obtains its Device Enrollment Program settings from the service, when it is enrolling with the MDM server, it passes that state back to the server.

The server then knows it can take as many MDM commands and install as many configuration profiles as necessary to fully configure that device.

Once the device is fully configured, the server sends a New Device Configured command to the device, allowing it to exit Setup Assistant and be used by the end user.

This is available in both iOS 9 and OS X El Capitan.

Next I want to talk about a feature specific to OS X that gives you more control over how accounts are created, or not created as the case may be, during enrollment.

In fact, you can now prevent user creation entirely if you just want to use network accounts on your Macs.

This works great with Enrollment Optimization if you set a passcode policy.

That policy will be enforced when the user is creating their new account.

One of the most important changes is that now instead of the user creating an admin account during DEP enrollment, you can specify that that account will be a standard account, which is typically what you want in education.

However, because OS X, of course, requires an admin account to be on the system, if you specify that the standard account will be created, you can also create an admin account behind the scenes that you can later use for remote management via ARD or other tools.

And you can optionally hide that admin account from any standard users on the system.

All these settings can be configured using a new MDM command called Setup Configuration, which works well in conjunction with Enrollment Optimization [applause].

TODD FERNANDEZ: This is great.

It will be very key in education in particular.

Now let's turn to iOS 9 and to a feature again with a somewhat ambiguous name, but I'll explain.

Also very simple to explain.

Automated Enrollment is a way to enroll your devices in MDM using the Device Enrollment Program without anyone tapping on the device.

How does it work?

Well, the first step is you configure your DEP settings like you would today, but instead of having a user get the device and walk through the Setup Assistant, you will connect the device to Apple Configurator, which will tell the device "configure yourself using your DEP settings."

The device obtains those settings and fully configures itself all the way to the Home screen.

It's ready for the user to use without anyone touching the device.

This is a great feature for shared deployments in particular, enabling you to configure a cart of iPads without touching them beyond connecting the USB cable.

This is not a new feature per se, but we've expanded the number of Setup Assistant panes that you can choose to skip as part of your Device Enrollment Program settings.

Over the past year, we rolled out these three panes, but in iOS 9 you can also remove the new Move From Android option on the setup pane if your enterprise wants to make sure there's no corporate data leaking from their Android devices while they're transitioning to an iOS device.

TODD FERNANDEZ: Finally I would like to highlight something I mentioned last year, that, analogous to what the MDM server can obtain from the iTunes Store, to get the Store Bag, which tells you all the APIs and URLs you can use to control the VPP program and other tasks, MDM servers can implement what we call MDMServiceConfig, which will tell other device management tools, for example, Configurator, what kinds of services it provides, the most important being the DEP enrollment URL.

Why is that important?

In fact, the Profile Manager version that we seeded this week supports this, and Apple Configurator we seeded this week supports it.

And enables Configurator user, instead of having to type in the entire URL, can just type in the host name of the MDM server and obtain the URL for the user.

So that brings us to the end of the enrollment section.

We now have our devices enrolled, they're ready for remote management.

The next thing we want to do is deploy the great apps from the App Store and other sources.

Of course, there are, what did we say yesterday?

A million and a half apps in the App Store.

There are also a large number of B2B apps in the App Store.

There are in-house enterprise apps that your organizations may be creating, and developers may be using ad hoc apps to distribute, for beta testing or other purposes, using provisioning profiles.

I will talk primarily today about the first three, but there is something towards the end of the presentation also potentially relevant for that fourth type.

There are many different ways to distribute apps to users, but today I'm going to primarily focus on Apple's tools as well as MDM in general.

Finally, there are three different ways to purchase apps.

Your users, of course, can just go to the App Store and buy them.

We have VPP redemption codes, which transfer ownership to the user.

Finally two years ago, we introduced VPP managed distribution to give organizations greater control and preserve ownership of the apps they buy under the Volume Purchase Program.

That's what I want to spend our time right now on.

There are three big new changes that I want to highlight today, each one larger than the last.

The first is similar to the Device Enrollment Program.

Over the past year we expanded from 10 countries to the same 26 countries where the Device Enrollment Program is available.

That's great.

But the second item I want to mention is bigger and builds on this.

We now have multinational app assignment as part of VPP managed distribution.

What does that mean [applause]?

TODD FERNANDEZ: Maybe you know already!

We can go right through this slide quickly.

What that means is you can purchase your VPP apps in any of those 26 countries, but distribute them to any country where that app is in the App Store.

So to make it concrete, if you are a multinational company headquartered in France, you can buy all your apps in France but distribute them to your users in the U.S., Canada, or even Kenya, as long as that app is in the App Store in Kenya.

We think this is going to be huge.

Believe it or not, the next one is even bigger than this.

You can now assign your VPP mass distribution apps to devices.

[ Applause ]

TODD FERNANDEZ: Thank you.

We appreciate that.

So previously you could assign them to users, and iTunes Store Apple ID.

What is different about device assignments?

Now there is no invitation process if you want to use device assignments because there's no Apple ID required on the device in order to distribute the apps, install them, and run.

Even if there is an iTunes Apple ID configured on the device, these apps will not appear in the user's purchase history because they are not assigned to that user.

That further means there is no way for the user to manage that app, or install it, or update it in the device UI.

It's completely at the discretion of the administrator and the MDM server to control that timing.

A final difference I want to highlight is that, in contrast to user assignments, where that app can be installed on any device where that iTunes Store Apple ID is configured, if you are using device assignments you need to purchase a copy for each device, and you app developers out there should be happy about that.

More sales!

But I also want to repeat, there is no Apple ID required on the device in order to install apps.

[ Cheers & Applause ]

TODD FERNANDEZ: Another big step forward to make shared device deployments much easier.

So what has remained the same?

The purchasing experience is exactly the same.

You purchase VPP managed distribution licenses on the VPP store, and they can be freely reassigned to a user or a device and later revoked and assigned to a different user or device.

We've also worked very hard to make sure there's a smooth transition for all of the apps that have already been installed based on user assignments.

If you wish, you can transfer and transition that assignment to a device assignment without having to reinstall the app or risk losing user data.

The app stays in place, as does the user data.

[ Applause ]

TODD FERNANDEZ: So what does this mean for app developers?

It is actually pretty simple.

First of all, early next month, iTunes Connect will allow you to opt in to allow your app to be distributed as a device assignment.

This is probably a good idea.

Remember that piece I mentioned, you might sell more copies?

Also, if your app is checking the receipt to ensure that it is running on a device where a user is configured that is the same user the app is assigned to, you'll want to update that checking to do that to make sure it's running on the device that it's been assigned to.

Secondly, I want to make a pitch that device assignments are a great feature for shared device deployments, but another one for you app developers is to move, if you haven't already, to store your app's data and settings in the cloud, whether it's Apple's cloud with iCloud Drive if you're document-based, or CloudKit, or your own cloud-based storage.

This will help your app fit in better in shared deployments.

There are a number of sessions this week that will show you how to do that with our own solutions.

I encourage you to check those out.

I also want to highlight a change to the caching server feature of OS X server, which already caches OS updates and apps.

It now caches also iCloud data, including Drive documents, CloudKit data, and iCloud photo library photos.

And those of you who have now heard about App Thinning and on-demand resources, it will also cache those as well.

It just preheats the cache of cloud data on your network to give you better performance and reduce your bandwidth, and of course all of the data in the cache is encrypted using keys only present on the client device.

So turning to what this means for MDM developers, if you are supporting VPP managed distribution already, there are a few changes to the iTunes Store APIs, which I'll cover in a moment.

You will use the same Install Application command to the device to tell it to install this app.

You obviously should now support assigning apps to devices and device groups.

We've built all of this to make it easier to centralize the app's management workflows.

It will be much more reliable with device assignments to be able if you wish to unify the assignment in the Store with the installation command to the device.

So what are the changes for the Install Application command?

Well, if the app is not installed, it will install it.

If it already has been installed by the MDM server and is managed, it will update it.

If the user already installed the app so it's in an unmanaged state, the installation will fail, so your server will need to handle that case and respond appropriately.

For those of you who are already supporting this for OS X, hopefully all of you, for device assignments you want to use the same purchase method you have been using on OS X, purchase method one for iOS device assignments.

That's the command to the device.

Now let's turn to the command for the iTunes Store to update its records on which app is assigned to which device.

There are two new APIs that should make implementing support for VPP managed distribution much easier.

The first supersedes the separate commands to associate and disassociate licenses with users.

And it allows you to, with one call for a single app, to associate with any number of users or devices and disassociate any number of users or devices.

This will make it very easy to implement that smooth migration I mentioned earlier.

The second API gives you an easy way to get the list of apps the organization has purchased, including the number of licenses of each app that they have purchased without having to fetch the entire list of every single license they purchased.

This will make it much easier to build a responsive app library in your admin console.

Moving on to an existing API that has gotten several new fields.

There are max limits for the number of licenses that manage VPP licenses, API just mentioned.

You want to respect these values when you're calling that API to not call with more than that number of licenses in a single call.

We also have added a new Retry After header because, how can I say this delicately?

I'll be blunt.

Some of you, and we know who you are, have some MDM solutions that let's just say they send a few too many requests to the iTunes store.

We need you to fix that but also respect this header because if your solution continues to do that, we will send this header and we may, if you ignore it, create longer delays in rejecting your commands and potentially even suspend the account of your customer.

So please, adopt this.

All right.

So moving away from strictly VPP managed distribution to some more general app distribution topics.

There are a few things that are new.

Really, they are just more convenient.

The first is reiterating the point I made earlier that we've made a very smooth migration from user to device assignments to leave the app and data in place.

Secondly, if the app has already been installed unmanaged by the user, it is now possible to convert that app to managed state without having to reinstall or lose user data [applause].

TODD FERNANDEZ: I'll give you the details in a moment, but the third change is that you can now install apps via MDM or Configurator even if you disabled the App Store.

Great improvement for education in particular.

How does this work?

Changing an app from unmanaged state to managed state is as simple as sending a new Install Application command, with this new field, Change Management State equals Managed.

And this will happen silently on a supervised device.

That's it.

If it's an unsupervised device, you can use this, but the user will be prompted to accept the change.

Once that change has happened, managed open in will consider that app to be managed and all of that data will be within the managed sphere, just as if it had always been.

If the app is not installed at all, and you're passing this call, it will still install the app as a managed app.

That's great.

This works for App Store apps, all the different types of apps.

Let's talk about changes for enterprise apps.

We've created in iOS 9 a new UI flow to make it easier for the user to understand when they are installing an enterprise app from a new developer.

I'll show you what that looks like.

We also made it easier for you to avoid your users from ever having to see that great new user experience because you can prevent them from trusting new apps from other developers so that they can only use your in-house enterprise apps.

And if they have enrolled with your MDM server, they have implicitly given their trust to you as a developer, and so any apps that you install the MDM that are your enterprise in-house apps will be installed silently.

[ Applause ]

TODD FERNANDEZ: So if it is an enterprise app from a developer that they haven't trusted yet, what does that look like?

Well, it looks like this.

After they installed the app and launch it, they can dismiss that alert and then switch over to Settings and the profiles and remote management area of Settings, which was changed quite a bit and improved in iOS 8, they can trust the app.

And that's it.

And then any further apps from that developer will be automatically trusted, but they can also always come back here and remove that trust.

It's just that easy.

Let's now turn to B2B apps.

Those of you who have worked on MDM console or have used one know that it's really great.

You can have an app library that has the nice app metadata with the icon, the app name, and any other details about it.

But if it's a B2B app, it looks something more like this.

Wa Wa. Well, I really have good news for you.

Later this summer you will be able to get the same app metadata for B2B apps that you can for App Store apps today.

So you can make a nice experience for your users.

What's more, that will also allow you to get the metadata for any apps that have been removed from the App Store.

I thought you would be more enthusiastic about it.

Where are all the MDM developers [applause]?

TODD FERNANDEZ: All right.

At this point, we reached the end of our distribution section.

I would like to ask Shruti Gupta to come up here and demo a bunch of these features on Macs running OS X El Capitan.

Take it away.

SHRUTI GUPTA: Good morning, everyone.

I am each excited to show you some of the cool features that Todd talked about.

The first thing I will demo are the new enhancements that we have made in account creation and password policy.

So here is my profile manager in OS X server.

I am using this profile manager server as my MDM solution where I have a couple of Macs that are registered in Device Enrollment Program.

If you look at the settings, you can see that I've already created DEP profile for the device group.

I have skipped all the Setup Assistant panes except for the local account setup.

This is a new feature that would force the user to create a standard user account.

Since OS X requires an administer account, I provided administrator credentials here.

You have the ability to show or hide this administrator account from the user.

For today's demonstration purpose I will hide the administrator account.

I have also configured a passcode profile for these Macs that would require the user to use a complex password during this setup time.

What does this look like on the client?

Let's take a look.

So here is my Mac that is registered in DEP and has been booted for the first time OS X El Capitan, mimicking out-of-box user experience.

Let's go through the setup.

I select the United States for my country, U.S. keyboard.

Here we are at the configuration pane, which you will see only if the systems are configured in DEP. So we come to them.

Now, the MDM server is prompting me to authenticate that my directory server credentials.

I will enter my user name, Shruti, and my password, hello kitty.

So what it is doing right now, it is enrolling this Mac in the MDM.

It is going to fetch all the configuration profiles ever configured for this Mac from my MDM server.

We are at the user account pane.

You will see we've populated some of the information from the previous login.

I'm going to go ahead and enter my full name here, and let's see if it likes my hello kitty password.

Oh, looks like I need to use a more secure password based on the passcode policy that we set earlier.

I will enter a new password here.

What is cool about this is, it gives you immediate feedback as I'm entering the password.

I'm going to complete the Password Verification field and continue.

So it is creating the user account as well as the hidden administrator account in the background.

I'm going to select the time zone now, and you'll notice that I didn't have to go through any of the location services pane or the iCloud sign in pane because we configured it to skip all those Setup Assistant panes.

Here, our account is all set up.

Let's see what kind of account really got created.

I will launch System Preferences, go to Users and Groups.

You can see it is a standard user account.

The administrator account is not visible.

Just to prove that administrator account really got created, I'm going to unlock the pane with my administrator credentials that I provided on the MDM server.

Ta-da! You can see that it's unlocked successfully.

The next thing I'm going to demo is one of the coolest features, and I'm sure many of you have been waiting for, being able to assign VPP app to the devices without requiring the user to log in with their Apple ID.

So I'm going to push a VPP app to this Mac, which is going to be Apple Configurator app.

So while it pushes the app, let's see, check in the App Store that I'm not signed in.

So we look at the Store menu.

You can see that I'm not signed in here.

If you notice, the app has already started to install in the LaunchPad.

There is our Apple Configurator app.

Thank you, back to Todd.

TODD FERNANDEZ: All right.

Thank you very much, Shruti.

So what did we just see?

Shruti installed a passcode policy before the user account was created, and it was respected while that user account was created.

It was a standard user account that was created instead of an admin account.

She also created an admin account that she could use if she needed to log in directly on the Mac or remotely later.

She also showed you assigning a VPP app to a device.

So let's move on to the third section of today's session and talk about ongoing management of devices.

First, I would like to highlight the fact that iOS 9 supports Exchange ActiveSync 16, specifically a number of improvements to calendar support, including improved reliability for a number of common tasks and support for attachments in physical locations.

Now let's turn to our own MDM protocol and profiles.

There are a number of new commands and queries, and the ones I want to highlight at the top, there's a new query that tells you what software updates are available for that device and a command that will tell the iOS device to update to the latest iOS for any devices in DEP.

[ Applause ]

TODD FERNANDEZ: Including being able to tell the devices to download and stage the update so you can then command them all to update at the same time.

I've already talked about the remaining commands and queries in the enrollment section and the distribution section.

So I won't spend any more time on those.

Now let's turn to what's new with configuration profiles.

There are two new payloads, network usage rules, which allows an organization to control how their managed apps use the network, whether they're allowed to use cell data or roam.

The OS X server account payload configures whether apps that support the document provider API can access documents on their OS X server account.

There are a number of other settings added to existing payloads, including a lot of changes in the IKEv2 VPN connection type, more about that later, and a large number of new restrictions.

So let's look at those.

There are a handful that are applicable on unsupervised devices, including the ability to prevent users from trusting additional enterprise app authors that I mentioned earlier.

We also now allow you to tell AirDrop to be treated as an unmanaged destination [applause].

TODD FERNANDEZ: All right!

But the final thing I want to highlight here are the three restrictions, third from the bottom, modify device name, passcode, and wallpaper.

These are particularly useful in shared device deployments.

If you have, say, some might say creative, others might say malicious, students who like to mess with their devices, you can now prevent them from changing the device name, setting a passcode, or changing the wallpaper.

[ Applause ]

TODD FERNANDEZ: One final note about configuration profile restrictions in iOS 9.

There are a number of restrictions, these nine in fact, created before supervision existed.

And in fact, they really should only be applicable on supervised devices.

So this is your early warning that they are still applicable or they still are honored on unsupervised devices in iOS 9, but in an iOS version to be named later they will be only honored on supervised devices.

Now let's turn to OS X.

Just like in iOS 9, OS X El Capitan gives you a new query that tells you what software updates are available for that Mac, and you can tell it to install one or more of those updates if the Mac is in DEP. The device information query achieves parity with iOS and you can now obtain, if you are using user assignments for VPP managed distribution, you can now see which account is configured on that device.

We already talked about setup configuration and device-configured commands in the enrollment section.

There's also an active managed users query, which will tell the server which users are logged in and actively using the Mac so you can clean up obsolete unused sessions.

There are also some changes to configuration profiles.

There's a new payload to configure an Ethernet proxy and a number of settings for other payloads, including a handful of restrictions that were previously available on iOS and now also are available on OS X.

As I alluded to earlier, there are a lot of changes in VPN and enterprise network connectivity.

I encourage you to come and checkout their session Friday morning and learn all about that.

I will not steal their thunder here.

That brings us to the end of the management section.

I would like to ask Shruti to show you some of these features on iOS.

[ Applause ]

SHRUTI GUPTA: Thank you, Todd.

Hello again.

So I'm going to demo some of the new features on iOS now.

So here is my device that is running iOS 9.

It is already enrolled in DEP. If you look at the settings, you can see that I can currently set a passcode on this device.

I can change the wallpaper.

And if I go to General, About, Name, you can see that I can edit the device name too.

Let's go to restrict these settings using our MDM server.

So the server is now sending the push notification to the device.

Keep your eyes on the screen as the settings get updated.

There you go, you can see that I can no longer set a passcode on this device.

I cannot change the wallpaper.

If I try to tap on the Name field, I cannot change the device name either.

Earlier we saw VPP app assignment on Mac.

Now we are going to see VPP app assignment on the iOS device.

I am going to push a VPP app to this device, which is going to be WWDC app.

Let's confirm I'm not signed into the App Store here while it's pushing the app from the server.

I go to App Store Settings, you can see that I'm not signed in with my Apple ID.

If you go to the Home screen, you'll notice that App Store does not exist there.

That is because I restricted the App Store from installing apps on this device.

SHRUTI GUPTA: I guess I'll give it back to Todd.

Thank you.

[ Applause ]

TODD FERNANDEZ: Thank you, Shruti.

You trust us, right?

It works great.

All right.

So what did Shruti just show you?

Again taking advantage of the three new restrictions to prevent students and others from changing things on the device that you don't want them to change, and being able to assign apps to devices and install apps on devices even when the App Store is disabled.

So let's turn to our fourth section and talk a few minutes about tools.

The first tools that I want to highlight, I hope that you MDM develops are aware of.

If not, this is your moment.

We created over the past year simulators for both the Device Enrollment Program and the Volume Purchase Program.

It allows you to simulate large numbers of devices hitting your server as well as all the service errors that may be difficult to simulate in any other way and test your handling to make sure it's robust.

Both simulators are available for download on the Developer portal, and we've released new versions this week that support all the new features that we talked about today.

Please, download and use them to make sure that your implementations are as robust as they can be.

We use them to test our own device management tools.

For example, Profile Manager, which, of course, has been updated to support all these new features.

Shruti showed you its support for several of them today.

Apple Configurator plays a role in automated enrollment using the Device Enrollment Program.

I want to talk about Configurator.

Here is Configurator.

Has the three workflows.

Prepare, you can configure how the devices are prepared and supervised, and assign them.

It was initially the only way to supervise devices.

You can install VPP apps using redemption codes.

You can install profiles.

It maintains and builds up a database as you supervise devices, and import apps from iTunes, and create profiles.

We received feedback over the last three years and learned a lot about managing iOS devices over the last seven years.

I am thrilled to tell you we have completely reinvented Apple Configurator and created Apple Configurator 2.

[ Applause ]

TODD FERNANDEZ: So what were our goals in creating Apple Configurator 2?

We wanted to invert the user experience and put your devices front and center.

That's what you are looking at in your cart or on your desk, and show you the state your devices are in, which makes it easier for you to understand what you can do with them and what is going to happen.

We've broken apart the workflows and given you discrete tasks so you can perform exactly what you need to do on a specific group of devices right now.

While at the same time making it very easy to combine those discrete tasks into custom workflows to prepare your devices and manage them just the way you want [applause].

TODD FERNANDEZ: We also heard that many of you are using multiple Configurator stations, some even hundreds in a large school district.

You want to better be able to share data between the stations and freely move devices between them.

We also of course want Apple Configurator to be a great tool for managing a small number of devices in a classroom, or a cart, or a lab.

But we also want it to be a great companion to the Device Enrollment Program and an MDM server, which is doing the bulk of the remote management.

But you might want to use Apple Configurator for a few tasks here and there.

Instead of me talking about it anymore, I would like to invite Enrique Osuna to show you Apple Configurator 2.

[ Applause ]

ENRIQUE OSUNA: Thanks, Todd.

I'm excited to be here to talk to you about Apple Configurator 2.

Why don't we go ahead and get started.

The first thing you'll see when you launch Apple Configurator is the Devices window.

This Devices window has all of your connected devices.

Each of the connected devices are represented by this icon.

These particular icons have an image of the device's Home screen.

This is Configurator's way to tell you these devices have been prepared.

Everywhere in Configurator where you see a collection of icons, you can also view the same data as a list.

You can get there by clicking on the View button in the toolbar and clicking on List.

Here, you see the same connected devices with additional information.

To go back to the collection of icons, click on the View button, and back to Collection.

One of the key features that Todd mentioned was the ability to perform discrete tasks on connected devices.

These tasks are found in the Actions menu.

In the Actions menu you can do things like add, remove, modify existing content as well as back up and prepare devices.

We will talk more about prepare in a second.

In the Devices window you see a big toolbar at the top.

The toolbar has all of the common actions of Configurator, such as the Update button here.

In the upper right-hand corner of these connected devices you see this big red badge.

What this red badge indicates is that these devices require an update.

I'll go ahead and see what updates are available.

Let me select all my devices.

Click on the Update button in the toolbar.

Now what Configurator is doing is contacting the iTunes Store, figuring out if there's any iOS or app updates.

Now, you can see that Configurator has identified that the WWDC app on my devices need an update.

So I can update that app by clicking the Update button.

Configurator is contacting the Store, downloading the apps, and actually installing them onto the devices.

For those who didn't notice, I didn't have to launch iTunes in this entire transaction.

[ Cheers & Applause ]

ENRIQUE OSUNA: Configurator no longer has a database of apps that you have to manage or maintain.

Now, as Configurator is finishing up the app install, you'll notice the big red badge that was in the upper right-hand corner should start disappearing here shortly.

This is an indicator that these devices no longer require an update.

Now, right before this presentation, I was actually having some problems on one of my pads.

It was probably that one, trying to get on to the WiFi network.

Let's look at what might be going on.

If I double-click on one of these devices, Configurator launches you into this new UI that allows you to see some information about your device.

You can find things like the device's name, serial number, as well as organization information.

In the left sidebar, you can find apps.

These are the apps actually installed on my device, as well as profiles.

These are the profiles that are installed on my device.

Unfortunately, this device is missing my WiFi profile.

I'm sure I have other devices in my cart that are missing a profile as well.

Let's go ahead and see if we can't figure it out.

I can go back to all my devices by clicking on the Back button in the toolbar.

Here are my connected devices.

If I go to the Search field in the upper right-hand corner and start typing WiFi, Configurator offers me this fancy suggestion of all the devices that have the WiFi profile installed.

The problem that I have is not which devices have the profile already installed.

It's the devices that don't have the profile installed.

If I click on the token in the Search field and it says profile is not installed, Configurator will show me the two pads missing the profile.

Let me fix the problem.

I'll select both devices, click on the Add button in the toolbar, and click on Profiles.

Configurator 2 no longer has a database of profiles.

These profiles can be found anywhere on your disk.

Let's navigate to the desktop.

Here I have my WiFi profile.

What is neat, you can have these profiles on mounted volumes and even in your iCloud drive.

Now that Configurator is done, I can clear the Search field and I can see my connected devices again.

Another cool feature of Configurator 2 is the ability to tag a device.

Tagging a device allows you to create device groups, but again, without a database of devices.

I can show you that right now.

If I select a couple of these devices, go to the toolbar, and click on the Tag button and select a few of these tags.

Press the Return key.

What Configurator is doing is writing that tag to these devices.

What is neat about the tags, it is actually written to the device.

When you transport this device to another Configurator station, those same tags appear there as well.

If I go back to the same Search field in the upper right-hand corner and start looking for my tag, I start getting a suggestion, fourth grade, I'm going to go ahead and click on that.

Now Configurator is showing me just the pads that are tagged with fourth grade.

Right under the Search field [ Applause ]

ENRIQUE OSUNA: Under the Search field, there's a Save button.

Configurator allows me to save this search for later use.

Let me click on the Save button.

You'll notice a new entry in the favorites bar right here.

Now, whenever I add another device that has the fourth grade tag attached to it, it will appear in this particular view.

So one last thing that I want to do is rename my devices.

Let's go back to all devices right here in the favorites bar.

And let me select all of my devices.

Go to the Actions menu.

Modify. Device name.

Like Configurator 1, Configurator 2 can rename your devices.

We offer you an opportunity to provide static text.

Let me go ahead and give it some static text.

And in Configurator 1, we introduced a feature that allowed you to append an autoincrementing number to the field.

In Configurator 2, we kind of let you do that too, but we do that through what we like to call a token.

These tokens can be put anywhere in the name.

Here you see the autoincrementing number.

You see other information about the device, like the device's serial number, type, and capacity.

For this demonstration, I like to use type and the autoincrementing number.

Now I click on Rename.

Configurator is now going through all these devices, grabbing those bits of information off the devic, and creating a name and putting it back on to the device.

As you can see, my devices are named Townships Schools iPad 1 through 5.

All these devices are configured.

I have a brand-new cart of devices I would like to add.

These are pads that are right out of the box and almost ready to go as soon as Configurator is done with them.

The first thing that you'll notice is this big white Device icon, what that represents is that these devices are ready to be prepared.

I would like to show you that prepare right now.

Let me click on one of these devices.

Click on the Prepare button in the toolbar.

In Configurator 2, there's two prepare workflows.

One is manual, and the other is the automated enrollment that Todd talked about earlier in the presentation.

For this demonstration, I'm going to do these iPads using manual.

I'll click on Next.

Here is my opportunity to manually enroll the devices into MDM.

I don't have an MDM server with me today, so I will go ahead and click on Next.

Here, Configurator is asking me if I want to supervise my devices to my organization, and I absolutely do to take advantage of the new iOS 9 supervise only features.

Click on Next.

This is the organization that is associated with the supervision.

This looks good.

Next. And this final pane is my opportunity of skipping iOS Setup Assistant panes on the device once I hand my device back to my users.

For this demonstration, I want to not show any of the panes.

I'll go ahead and click on Prepare.

Configurator is now preparing and supervising these devices.

I still have to tag, add some profiles, and add some apps to this device, which actually is a lengthy process.

So, what we did in Configurator 2 is automated this process with what we call blueprints.

I'll show you what a blueprint is right now.

If I click on the Apply button in the toolbar, and click on Edit Blueprints, Configurator takes you into this special mode where you can create a new blueprint, and I'm going to do that.

Click New Blueprint.

Let me give it a name I can remember.

And press Return.

Now, what's really cool about these blueprints is that they act just like a device.

Anything that I can do on a connected device, I can actually do on a blueprint.

What the blueprint does, it records those actions, and then later on I can replay those actions.

Let me do the first thing, which is prepare.

If I click on the blueprint, I press on the Prepare button in the toolbar.

Configurator offers me the same view we had earlier when we clicked Prepare.

Configurator remembered my last options.

And these options are fine.

I am breeze through these setup panes.

Click on Next.

Until we get to prepare.

Now that the blueprint is prepared, I want to add some tags.

Click on the Tag button in the toolbar.

Select a couple of tags.

Press Return.

You will immediately notice the Blueprints label is updated with my new tags.

I want to add an app.

Click the add button in the toolbar.

Apps. Now what you see here is all the VPP apps associated with my VPP account.

I want to go ahead and push the WWDC app to a part of this blueprint.

I click on WWDC, Add Apps, and then finally I want to add my WiFi profile.

The same Add button, Profiles, Configurator remembered the last spot I was at for profile.

I'll click on my WiFi profile.

Add profiles.

Now, like inspecting the device, you can also inspect a blueprint.

If I double-click on this blueprint, I'm presented with this blueprint inspector.

Here you can see additional information about the blueprint such as its name, its storage requirements, here with the storage bar at the top of this inspector, as well as the prepare options I highlighted earlier and the tags that I've set.

Like a device inspector, you can also inspect the apps associated with this blueprint and the profiles associated with this blueprint.

Now I'm almost done.

I just need to rename the devices associated with this blueprint.

So I go back to Info.

Click on Actions.

Modify. Device Name.

Configurator remembered my last rename options.

Those worked fine, so I'll click on Rename.

You notice here in the blueprint the device name options show up here.

Great, this blueprint is done.

In the lower right-hand corner, I can click on the Done button.

Now I want to apply that blueprint to these devices that are ready to be prepared.

Let me select those devices.

Go back to that same Apply button that we went to earlier.

Now you see an entry for my blueprint.

If I tap on that entry, Configurator is now going through the actions I saved in that blueprint and replaying them on to the devices.

This is Apple Configurator 2.

Thank you very much.

Back to Todd.

[ Applause ]

TODD FERNANDEZ: Thank you very much, Enrique.

So Enrique has showed you how to configure devices using Apple Configurator 2, including installing VPP apps.

I'll talk more about that in a moment.

You can create device tags that travel with the devices between multiple Configurator stations using tags.

He showed you how to build and use a blueprint to create a custom workflow and replay the set of actions that you want on any number of further devices.

However, there's even more automation options that we didn't show you here.

In addition to blueprints in the UI, there's also a command-line tool.

There's a scripting library and suite of automation actions for you to easily integrate Configurator's functionality into your workflows.

[ Applause ]

TODD FERNANDEZ: You're in for a treat because Sal Soghoian is going to talk about that on Thursday afternoon, how to use Automator and Configurator together to automate your device management workflows.

Enrique showed you a lot of what Apple Configurator 2 can do but there's more.

I mentioned multiple station support, all of those profiles that you can find anywhere on your Mac can be saved in iCloud in addition to other Configurator settings.

I mentioned the automation tools.

While Enrique showed you the cool additions to renaming that Apple Configurator 2 has, there are also some great enhancements to being able to set wallpaper, which is no longer a preference, but can be done as a command on any number of devices.

There are cool tricks if you look at the options in there as well.

Definitely check it out.

We released the beta yesterday, and it's available for you to download from the Developer portal and we will also have it in the Lab.

That brings us to the end of our fourth section.

And I just want to sum up quickly for you administrators that if you are using wireless remote management, use the Device Enrollment Program or Configurator using automated enrollment to get your devices enrolled in MDM or use Configurator to manage your devices if you are not going to use MDM.

You can use VPP managed distribution now not only to distribute apps to users but also to devices.

As I mentioned the Configurator 2 beta is available now.

Turning to developers, again, you app developers, please early next month in iTunes Connect you will be able to opt in to device assignments for your apps.

MDM developers, please support VPP managed distribution device assignments, your customers will appreciate that.

The documentation is available now, and the new iTunes Store APIs that I mentioned and talked to you about are already in production, ready for you to use.

Support all the other new features in iOS 9 and OS X El Capitan, and use the DEP and VPP simulators to test your implementation.

There are related sessions this week about CloudKit, there's an enterprise get-together later tonight.

The VPN session on Friday and Sal's session on Thursday.

Check them out.

There's a great website with lots of resources for how to integrate Apple devices into your enterprise.

Lots of documentation for MDM developers, from the MDM protocol to the configuration profile reference, and a forum where you can ask and answer questions.

Administrators, there's lots of reference guides for deploying iOS and OS X in your organizations as well as help for our tools and forums to ask and answer questions about how to bring Apple devices into your organizations.

Thank you for your attention and wish you have a great show.

Thank you very much.

[ Applause ]

Apple, Inc. AAPL
1 Infinite Loop Cupertino CA 95014 US