What's New in Apple Device Management

Session 303 WWDC 2016

Learn about the latest developments in managing Apple devices in large organizations including Classroom and Shared iPad for Education. Learn the latest techniques to wirelessly configure settings, monitor compliance with policies, install apps and bulk configure devices with ease.

[ Music ]

Good morning.

[ Applause ]

Welcome to Session 303.

I'm Todd Fernandez.

And I'm very pleased to be here with you this morning to give you an update on what's new in managing Apple devices.

Now, before we begin, I do have to warn you that I am still a little bit tired after attending my college reunion last weekend.

And I'm not going to tell you which one, but if it had been an anniversary, I would have received some silver.

Now, despite being a little tired, I'm very grateful to see you all here in the hall, but I also want to give a shout out to all of you watching the live stream around the world, as well as you future viewers watching this recording at some indefinite period like some three-eyed raven.

Hello, future viewers.

But speaking of the passage of time no, not that kind of time, although I do love my Apple Watch I want to talk about the calendar.

Now, many of you here in the hall today the spring may seem like a quiet time for device management.

As we toil behind the scenes on all the new capabilities that we're going to announce and preview at WWDC and then ship in our fall releases.

But it turns out surprisingly enough that schools actually want to use those features before we typically ship our fall releases.

They want to configure devices taking advantage of all those new features over the summer for use during the next school year.

But in order to do that, they need to have already purchased their hardware and software even earlier.

And in order to do that, they need to have evaluated all of the new hardware, software, and tools options even earlier.

Which brings us to iOS 9.3.

It's really strange how that release date just kind of jumped right out at us.

But the schedule isn't the interesting part; what about the features?

There are a ton of new features that we released in our spring software and service releases.

But the true stars of the show are clearly Apple School Manager, Shared iPad, and Classroom.

Let's first talk a little bit about Apple School Manager, which provides a streamlined enrollment process to access Apple's device management services.

Those services include creating accounts for students and teachers, as well as the class relationships between them, configuring how their devices will be enrolled for remote management, and purchasing the apps and books and creating the curriculum that will help students learn.

And fortunately, one of the technology directors at one of the school districts which piloted these features earlier this year agrees that Apple School Manager will save their tech staff lots of time, allowing them to manage devices, content, and our student accounts all from one place, exactly what we intended.

Now let's turn to Shared iPad.

Shared iPad allows the majority of schools in the United States and around the world which share devices to provide their students with a personalized experience and enable them to use the complete Apple ecosystem.

Shared iPad can be configured so that younger students can sign in by simply tapping on their photo and entering a four-digit pass code.

Student data is stored in the Cloud and downloaded to a specific iPad when they sign in as needed.

Again, it's great to see that the folks who are responsible for getting these Shared iPads into the students' hands agree that Shared iPad will allow our district to transform a cart of shared devices into a personalized learning experience for each student.

Again, nailed it.

All right.

Finally, Classroom.

Classroom empowers teachers to keep themselves and their students focused on learning, rather than managing technology by placing a small set of key capabilities at their fingertips right in the classroom.

Teachers can easily open an app or a chapter in an iBook on all or a selected group of student devices, project student work to the Classroom Apple TV, or monitor and redirect a student who may be off task even while they're working with a different group of students across the classroom.

And I was very fortunate to visit Mr. Garcia's classroom a few months ago, and it was truly inspiring to see the projects that his students were working on their Shared iPads with his support using Classroom.

And after his experience he reports that Classroom has been an extremely useful tool throughout the school day to enhance the project-based learning that's going on his classroom.

Classroom helps him to keep all of his students accountable for their work while also keeping them extremely engaged in their assignments.

Now while it's extremely gratifying to get this kind of response to the features we released, it's also been great to hear some great feedback about their quality, including from some very difficult to impress customers who have raved about the blazing performance and reliability of Classroom's features.

Now, these spring 2016 changes with an extremely well-received feature set and high quality delivered on a schedule which schools need underline Apple's commitment to deliver not only the best devices and most advanced operating systems but also the best device management experience.

We've demonstrated this commitment by investing heavily in providing a great experience to schools bringing Apple devices into their classrooms.

But we need all of our partners, from NDM vendors to tool providers, to all of you app developers who would love to see your app used by thousands of students around the world to join with us to ensure that that great experience reaches all of our joint customers all over the world.

But I do want to encourage to you keep up because although we don't talk about future products, we are definitely not done yet.

So today I'm going to cover all of the new developments across the entire device management life cycle.

So let's go ahead and get started.

I'll cover a few changes to some existing features and go into some detail about the new things like Apple School Manager, Managed Apple IDs, and, of course, Shared iPad.

So first I want to cover a few things that haven't changed.

For Enterprise customers we still have the Apple deployment programs, the Device Enrollment Program for configuring how your devices enroll for remote management, as well as the volume purchase program for purchasing your apps and books and distributing them to your devices and your users.

However, we've also added a number of new device management commands and settings in the spring and that I'm going to talk about later in this session.

And we'll try to highlight those that are specific interests to Enterprise customers, though many of the things we've done for education also are useful in Enterprise.

Turning to education, now let's talk about Apple School Manager in more detail.

As I mentioned, it allows the school to manage the people, the devices, and the content the school is managing to deliver that improved performance in the classroom.

With respect to getting those accounts created, there are two options: You can connect Apple School Manager to your student information system to pull out all the student, teacher, and staff, and relationship information; alternatively, you can upload that information using a CSV template.

Once Apple School Manager has that information, it creates managed Apple IDs for each student and teacher, as well as creating classes that have those relationships between which teachers have which students in their classes.

What are those managed Apple IDs?

Well, they're used both by the school staff as administer accounts and accommodate tiered administration so that different administers can have different privileges for managing your school's people, content, and devices.

The student accounts have a few special characteristics.

They're required to sign into a Shared iPad, but they can be used for one-to-one deployments as well.

And in Apple School Manager you can configure the pass code options for Managed Apple ID from the full-strength iCloud password to a simpler four or six-digit pass code.

Managed Apple IDs are special in another way in that some services are disabled, such as commerce, so that students using a Managed Apple ID cannot purchase things from our stores.

There are also services such as FaceTime and iMessage which can be enabled if the school decides they would like to use them.

All right.

For you NDM vendors out there, of course, just as with the Device Enrollment Program and the volume purchase program, there's an API to access this roster information from Apple School Manager and give your NDM solution access to all the student and teacher Managed Apple IDs, as well as the classes.

In terms of the transition from schools moving from the Apple deployment programs to Apple School Manager, the good news for them is that they do not need to download new tokens.

It will continue to work.

But your NDM solution needs to be ready for this transition and be checking to see if their token is now an Apple School Manager type and supports the new v3 API, which will actually be what gives you access to the roster service information.

On a parallel track, when you're interacting with the Device Enrollment Program service, you can tell it that you now support API v3 by including that information in the header.

And you'll receive the additional information that's now available via that API.

I also wanted to pass along a few best practices that my team has learned in adopting this API in Profile Manager.

The first is really a strong recommendation that we think your customers will really appreciate.

If they have been using your product for a while, they've undoubtedly connected it to their directory to get user and group information so that your solution also has a representation for each user.

Once you connect up to the roster service API in Apple School Manager, you're going to be getting a second representation of each user in the form of the Managed Apple ID.

And we recommend that you allow the administrator to provide some matching criteria so that you can automatically merge those accounts into one representation of each student and teacher.

And because that matching won't catch every single record, we think you also should allow manual merging of records to be able to tell you this directory user is the same user as this Managed Apple ID.

One special note about records that have been created by CSV uploads is that the person number that's uploaded in the CSV template becomes the source system identifier in the API results that you will receive.

That source system identifier corresponds to something more like a student ID; it's not a GUID or a primary key.

So that field can actually be mutable and is not guaranteed to be unique.

And you need to be prepared for that case.

The final practice I wanted to pass along was to point out that there is no delta API so that you'll need to do a full enumeration to get all of the records from the API.

Since the student information system syncing is only performed once per day between it and Apple School Manager, there's no need to automatically perform a full sync more than that frequency.

And in fact, if you give your users an opportunity to request a sync, you're going to need to throttle that so that they're not overwhelming your product and our system.

Turning from people to devices, Apple School Manager allows you to configure the Device Enrollment Program settings for your school's devices, including finding your purchases, configuring the details of your MDM servers, and then assigning devices to those MDM servers so that when they're enrolled they'll be managed by those servers.

And finally content.

Apple School Manager allows you to jump to the Volume Purchase Program store to buy your apps and books, and it also offers access to iTunes U Course Manager.

And I also wanted to mention that we recently released iTunes U 3.3 which now supports integration with Apple School Manager to pull managed course information into iTunes U.

Now let's talk about some of the other details of enrollment to getting your devices ready for remote management.

Last year I talked about a new feature in iOS 9 called enrollment optimization.

And just a recap this allows the MDM server to include a bit in the Device Enrollment Program settings for a device that I want to you wait until I'm done configuring before allowing the user to use the device.

That setting comes down to the Mac or the iOS device in their DEP settings.

It then sends a token update with device ID back to the MDM server, letting it know that I'm ready to be configured.

The MDM server can then send as many commands, install as many configuration profiles as needed to bring that device up to spec. When it's done, it then sends a device configured command to the device, which then exits the Setup Assistant and allows the student or the employee to use the device.

This enables the organization to ensure that that device is not used prior to being fully configured.

Now that we have Shared iPad, there's a new wrinkle here in that there's a new action in users signing in.

At that point the Shared iPad will send a token update back to the MDM server.

But in contrast to the one I just talked about that's device-specific, this token update reports the Managed Apple ID for the user who signed in.

That enables the MDM server to send, again, as many commands as it needs to configure that device with any per-user settings, which I will go into a bit more later.

One crucial difference between this Shared iPad feature and the device-specific enrollment optimization is that unlike the prior one which waits in Setup Assistant until the MDM server is done, the user is not blocked from completing sign in until the MDM server is done.

A few security best practices.

Those of you who have been keeping up will know that we removed support for MD5 in iOS 9.3 for SCEP servers.

We've also deprecated DES, but we also added AES support.

So the message here is that your SCEP servers should support 3DES or AES as soon as possible because we want to be using the most secure cryptography possible and it's time to move on to the modern ones.

Next, a few details about configuring the Setup Assistant, one of the other features of the Device Enrollment Program.

In iOS 9.3.2 we now allow you to skip the new True Tone display Setup Assistant pane on hardware which has that display.

And new in macOS Sierra, we have some great new features, but in fact you might not want your users to configure them during setup.

So you can skip the Siri or the iCloud desktop setup pane.

Now, this is another advertisement.

I think I've done this now, this is the third year running for you MDM vendors to support MDMServiceConfig, which allows tools like Configurator to obtain information about your MDM server, such as the DEP enrollment URL or where to fetch the anchor certs.

Profile Manager has supported this for some time now and Apple Configurator 2 takes advantage of it, enabling users to simply enter the host name of your MDM server and Configurator does the rest.

Now let's talk about Shared iPad.

Of course, this brings support for multiple users to iPad in the classroom.

A few details about installing apps on them.

And then I want to talk a little bit about the details of how it preserves user data.

As I mentioned earlier, Shared iPad requires a Managed Apple ID to sign into.

Once a student signs in with her Managed Apple ID, she is also signed into her iCloud account for data storage, as well as her iTunes account for assigning books, which I'll talk about in a minute.

It's also used for supporting iTunes U.

Now, since there isn't always an Apple ID signed into a Shared iPad, you'll want to deploy apps and install them using device assignments, which we added to VPP managed distribution last fall in iOS 9.

MDM vendors hopefully have all added support for this already, but you'll need to use the newer PurchaseMethod 1 to support device assignments.

All app types are supported from VPP apps to [inaudible] apps to Enterprise apps.

Although in order to distribute VPP apps via device assignments, the developer of that app must have accepted the latest T's and C's in iTunes Connect to allow device assignment.

Now let's talk a little bit about the underlying architecture.

As I mentioned, the student data is kept in the Cloud that's where the truth is.

But once they've signed into a particular Shared iPad, their data is downloaded and cached there.

However, that cache may be purged if additional students need to be accommodated on that Shared iPad.

Each student can only see his or her own data.

But if they generate a lot of data during a session and they sign out before all of that data has successfully uploaded to the Cloud, Shared iPad will continue to upload that data at the log in screen or even if other students sign in.

The key to all this working is that all of your apps are education ready.

That primarily means that you're storing all of your app's data and settings in the Cloud.

We've got a whole session right after lunch about how best to make your app education ready right here in this room, and I encourage you come back for that one.

Now, just kind of animation to explain this a bit better.

Student enters her pass code.

Shared iPad gets her to the log in screen to the Home screen, excuse me.

Downloads her data.

See, she's working on her project, but now it's time to sign out, to go to the next class, or to go home for the day.

Even back at the login screen her data continues uploading.

Maybe she was working on a movie project.

But even if another student then signs in and begins downloading his data, the previous student's data continues uploading until it's all safely stored in the Cloud.

But the next student can begin using the Shared iPad right away.

So what do you MDM vendors need to do to support Shared iPad?

Again, hopefully all of you have done this already.

but for those of you who may be a little bit behind, there's a new setting in the DEP settings very similar to supervision that tells the device enter Shared iPad.

You also will want to use Enrollment Optimization that I talked about earlier to set some key options before student use.

And I'm going to go into a bit more detail about both user quota and lock screen grace period.

So what is the user quota?

Well, it's the maximum number of the users which will be cached locally at any one time.

Let's say six.

iOS will then automatically calculate how much storage should be allocated each of those six users, taking into account space reserved for iOS, as well as books and apps that you're going to install.

As users log in, their data is downloaded and cached on the Shared iPad.

But in this case with a quota of six, if a seventh user signs in, one of the user data caches will be purged.

And we will purge the least recently used user who doesn't have any data still remaining to upload to the Cloud.

Some guidelines on how to choose this value, you really want to try to get it close to what the number of students who will actually use the Shared iPad during the day, which will typically be the number of class periods you have in a day.

Because if you have too few, students will have their data purged more often than necessary.

And if you choose a number too large, you're going to allocate space that's not actually going to be used.

Lock screen grace period.

So let's imagine we set this to one minute.

And this option gives the schools to choose the right balance between ease of use for their students and data security for their students.

And I think it's easier to illustrate with an animation than for me to talk about it.

Again, let's imagine we set it to one minute.

The teacher asks the students to put their Shared iPads down.

So the screen locks.

Let's imagine she doesn't have much to say and after 30 seconds Mia swipes to unlock her device and she gets right back to work without having to enter her pass code.

Now let's imagine the teacher has rather more to say and Mia swipes after five minutes.

She will be prompted to enter her pass code again.

So, again, this offers an opportunity for schools to choose that right balance.

Another detail for you MDM vendors, iOS as part of Shared iPad now has a user channel in addition to the device channel that can be used to send MDM commands and install profiles.

macOS has had a user channel all along, of course.

And this is very similar but with some differences I'll cover in a moment.

In fact, if your MDM solution is already sending commands over the user channel to Macs, if they were sending them to iOS devices previously, they would have been ignored.

But with iOS devices 9.3 and later they will now pay attention to them.

There's a subset of configuration profile payloads which are able to be used on the user channel which I'll cover in a moment.

One important difference between the user channel in iOS and macOS is that no user authentication is performed before delivering those per-user commands to a Shared iPad.

So you should never send sensitive information over user channel, and in fact, we will enforce that no credentials are delivered over the user channel.

That includes the new Google OAuth account payload that we introduced in iOS 9.3.

As I mentioned, all the accounts payloads, including that new Google OAuth account payload, are supported on the user channel, as are the new notifications, Home screen layout and Safari auto-fill domains enhancement to the domains payload that we introduced in iOS 9.3.

The existing restrictions payload can also be used on the user channel, including the new show/hide apps features that was added in iOS 9.3.

One important detail about restrictions payloads that may at first seem confusing but in fact is not a change from how they have always worked, if a restriction's payload is delivered on a device channel and the user channel, they will be combined by iOS to compute an effective restriction with the most restrictive setting winning.

This prevents a student from installing another configuration profile without that setting and freeing him or herself from that restriction.

The reason this isn't really any different is this is exactly how multiple profiles have always worked even if delivered all over device channel.

And with that, I'd like to ask David Steinberg to come up and give you a demo of Shared iPad and some of the other education features we released this spring.

David, take it away.

[ Applause ]

Thanks, Todd.

It's great to be here demoing Shared iPad to all of you.

Let's take a look at what using Shared iPad between a couple classes in a school is like.

To start we'll look at the log in screen.

Now, you can see the school's name's at the top.

We have some recent users of the iPad below, and then a class list that the students can choose from to log in.

When I want to log into this device I can choose my class from the list, which is the class' name and a list of students to choose from.

If this isn't my class, I can go back to the class list, select a separate class, again, we see the class name and a list of students we can choose from.

Now, if I'm not in any class on this device, I can still log in using any Managed Apple ID that belongs to the same organization as this iPad.

But to demonstrate Shared iPad today let's go back to our recent users.

Here we have Ava, a second-grader, and Liam, a third-grader, who both used this iPad in their classes yesterday.

The second grade class is about to start.

So let's log in as Ava.

Now, when we log in and log out our video sync will cut for a second.

So I'll show you here.

After she enters her credentials, they'll authenticate against the Cloud, authenticate locally on the device, the iPad will get ready and then will land on her personalized Home screen that the school has selected for her.

Now, while the video catches up, let's talk about how this device has been configured.

The school configured this device specifically for second and third-graders.

They chose the apps that each student in those grades would use and then created Home screen layouts for each of the students that they would see every time they land on any iPad within that organization.

So for Ava, as a second-grader, they've chosen these apps and this layout.

You can see iBooks and Notes in the dock because those are the most-used applications by second-graders.

In fact, Ava's been taking multiple notes across a variety of iPads in school.

And you can see that all of her notes have synced to this iPad from iCloud.

Now, we can create more notes on this iPad and they'll also sync and be available on other iPads.

Today her class was learning about WWDC.

Of course, it's a great topic.

So let's help her out by taking note to commemorate this session.

In fact, let's take a little video.

All right, everybody, say, "WWDC."

WWDC.

Woo-hoo.

Perfect. Now she'll remember this forever.

Unfortunately, it's time for her to end the class and log out.

Now, when Ava logs out the device lets her know which applications are saving data, and any data that needs to be synced afterwards at the log in screen or when another user is logged in is prepared then.

So when we land back at the log in screen or log in as another user, that data can continue uploading in the background.

For example, if we had been recording this entire session up to this point instead of making a little video, it would be given another chance now to start uploading.

Now a third grade class is starting and Liam is back at this device.

So we'll log in as him.

Again, after we enter his credentials they authentic, the iPad gets ready, and he will land or his personalized Home screen.

For the third-graders the school has chosen most of the same application as for the second-graders.

But they've also included a couple extra applications, including the ones from iWork because the third-graders produce multiple presentations throughout the year.

And they've also included an app like Safari so that the students can do research for those presentations.

So if you look at the dock, you'll see that Liam also has iBooks and Notes, but he now has Maps and Safari because the third-graders are studying the geography and history of the great state of California.

Now, Liam needs to put together some notes in preparation for a presentation he'll be giving.

And though Ava just used this same iPad to take notes, Liam does not see any of her notes.

In fact, it looks like Liam has not been taking very many notes.

So let's help him get started here.

We'll create a new note.

And Liam's found some images online that he'll be able to include here.

So let's add one of those now.

Oh, beautiful.

California state flag.

That's a great flag and a great start to some notes.

But unfortunately, class has come to an end, so Liam needs to log out.

Thankfully, when he logs out, he knows that his data is being saved and it will be available when he gets home and wants to continue working on his project.

Every day throughout the entire day different students can use the same iPads to work on their projects, their data's saved and it's synced and available across multiple devices throughout their school.

For Ava and Liam, that means being able to continue working on their projects wherever they want, wherever they go.

Thank you.

Back to you, Todd.

[ Applause ]

Thank you very much, David.

Just a brief recap.

So David showed how you can preconfigure classes on Shared iPad's log in screen, as well as take advantage of building up a list of recent users who sign in with their Managed Apple ID and pass code.

They had actually signed in using a [inaudible] user and demonstrated that Ava and Liam only see their own user data in Notes and over other app.

And in fact, the school can choose to show a different set of apps and Home screen layout for different groups of students.

Well, that concludes our getting started section.

Let's continue with distribution.

We got a few changes to talk about this year.

And let's get right to it.

So there's a great new feature tied to Managed Apple IDs that allows MDM servers to programmatically link Managed Apple IDs from an organization to their Volume Purchase Program account so that no invitation process is necessary because we know that this account is coming from that same organization that wants to distribute apps and books.

This, of course, does require that the school's DEP or Apple School Manager token and VPP token come from the same organization.

But as I mentioned earlier, since the customer doesn't need to download any new tokens after the transition to Apple School Manager, this should be simpler.

For you MDM vendors, it is possible that the school has different tokens from for DEP and VPP that appear to be from different organizations.

There is a dedicated error code for this failure mode.

So you can try to perform this association and just catch the failure and be able to notify them that, "Hey, your tokens don't match, and you'll need to fix that before we can give you this feature."

Of course, to give this feature to customers, you'll have to adopt the API for it, which is already available in production.

And this is going to be very important for distributing iBooks Store books to Shared iPad, which we'll talk about next.

So how can you get iBooks Store VPP books to a Shared iPad?

VPP books can only be assigned to users and cannot be distributed to devices.

So the way it will work is that once you've assigned the VPP books to your Managed Apple IDs, each student when signing into Shared iPad will then see them appear in their iBook Bookshelf, and they can simply tap the download button to get those bits.

The good news is that the second and on to end student who wants to use that book on that iPad will appear to immediately download because the bits are already there on the device and are only stored once to save storage and bandwidth of downloading them repeatedly.

In contrast, non-iBook Store books like PDFs or iBooks author documents or EPUBs can be device assigned and managed just like assigning apps to Shared iPad.

Finally, a few important points in some chance we made to how Enterprise apps with universal provisioning profiles worked that were introduced in iOS 9 but proved to be somewhat confusing.

These universal provisioning profiles allow a non-App Store app to run even if that specific device is not defined on the provisioning profile accompanying the app.

For this to work, it requires both initial trust by the user of that app signer, as well as ongoing periodic validation by Apple that that specific universal provisioning profile remains valid.

So, again, when installing one of these apps by any way other than MDM, the user must explicitly trust the app signer.

However, if the device is enrolled in MDM, those apps are implicitly trusted based on the fact that they trusted this organization when enrolling in MDM.

However, the second piece that Apple must consider this UPP valid for the app to continue to run requires that the device be able to be online occasionally to see the validation server.

Even MDM installed apps also still require this periodic validation.

But an MDM server can trigger the device to say, "Go validate all of these apps right now."

This is a really key feature for deployments such as an electronic flight bag for an airline pilot that will be offline for some period of time on a regular schedule.

The MDM server can tell the device before it's going to be offline, "Go ahead and validate all your apps to ensure that they continue to run."

And in fact, for you MDM vendors, and this is what we've done in Profile Manager, we recommend that you just go ahead and automatically validate any applications that you see when fetching the application list at a sync that are not validated, and that will keep them all running all the time.

That concludes our section on distribution.

And now let's move on to all the changes in device management capabilities that are used in an ongoing basis to manage your devices remotely.

And to take us through this section I'd like to invite Shubham Kedia up here to walk you through it.

Shubham?

[ Applause ]

Thanks, Todd.

Good morning, everyone.

I'm thrilled to be here to walk you all through some great new management features we've added to both iOS and macOS this year.

So let's start with iOS 9.3 where we added some brand new MDM commands and queries to go alongside Shared iPad.

The settings command was updated with the ability to now specify the maximum number of users that can have local accounts on an iPad.

We saw Todd talk about this earlier.

You can now also toggle diagnostic submission via MDM.

We added some commands that are specific to user manager as well, such as the user list command, which you can use to get the list of all users that have accounts on an iPad and even get information like whether or not they're logged in, whether or not they have data that's left to be synced to the Cloud, as well as information about their user quota and how much space they've used.

There are new commands to log out users and delete users as well.

9.3 also introduced MDM Lost Mode and MDM Activation Lock.

Now, these aren't specific to Shared iPad; these work across all supervised devices.

So you can rest assured that if a device gets misplaced, you can remotely enable MDM Lost Mode with a custom message and phone number and even be able to get the device's location.

For devices like Shared iPads where you don't have an Apple ID associated with them, MDM Activation Lock is also a great option to prevent theft.

Now, before I move on I'd like to point out these icons that you see here.

These represent commands, queries, or configuration profiles that are specific to either Shared iPad or supervised that you'll see throughout the slides.

9.3 also introduced some great configuration profiles that you allow to configure your devices exactly the way you want.

The education payload is used to configure both the Shared iPad log in screen as well as Classroom app.

Notifications allows you to configure exactly the notifications settings you'd like for all applications.

You can preapprove or deny notification from apps that aren't even installed yet and even toggle things like sounds and badges.

The Home screen layout payload that we saw David use in his demo earlier can be used to configure exactly the arrangement of apps and folders you'd like your students to use.

The lock screen message payload allows you to specify a custom footnote that appears both on the lock screen and the log in screen of Shared iPad.

The exchange and mail payloads saw some updates as well.

You can now choose whether you want to allow the use of Mail Drop when sending emails from those accounts.

The domains payload has been updated with the ability to now specify exactly the domains for which Safari will offer to save and auto fill passwords.

For you Enterprise folks out there, we've updated the VPN payload as well with some great new IKEv2 settings, and the restrictions payload has in number of new keys.

You can now restrict things like Apple Music, iCloud Photo Library, and iTunes Radio.

You can also choose whether or not you want students to be monitored by teachers when using Classroom app.

You can disable modification of notification settings, which you may have set using the notifications payload, as well as and you also have the ability to now show and hide specific apps.

Again, we saw David use this in his demo earlier.

I'd like to talk a little bit more in depth about the education payload.

It's extremely important that you adopt this because not only does it configure which students and classes you see in the log in screen of Shared iPad, but it's also how Classroom app determines how teacher and student devices should connect with each other.

In this payload you'll specify students, teachers, and classes, and even be able to specify photos for these students and teachers.

You'll do so by specifying URLs.

And it's important that these URLs are over HTTPS.

When you update these photos, you should also update the URLs.

Only one such payload can be installed per device, and it's important to note that student and teacher devices require different payloads.

So all these payloads that I've talked about can, of course, be applied at the device level so they apply to all of the users on a Shared iPad.

But there are five payloads that we support over the user channel per user.

These include all of the accounts payloads, including the new Google OAuth account, notifications, Home screen layout, the domains payload with the new support for Safari auto fill domains, as well as the restrictions payload with the ability to show and hide apps.

Next let's talk about iOS 9.3.2.

Here we updated the settings command to allow to you enable or disable app analytics, as well as set the lock screen grace period.

Of course, we also updated the DeviceInformation and SecurityInfo queries to return the correct state from the device.

One thing to note here is that the security info query will actually return pass code lock grace period and pass code lock grace period enforced.

The enforced value might be more restrictive than what you've set from your MDM server since it can't be made less restrictive while users are logged in.

Now, one of the great uses for iPads in a classroom is for standardized testing.

And we've had two great solutions for this in past releases: Single App mode and Autonomous Single App mode.

These continue to work the same as they have before on supervised devices.

However, now with a new entitlement that you can add to your app, you can use the same API and also disable five system features that make sense for your assessment app.

These include things like auto correct, Define, keyboard shortcuts, predictive keyboard, and spell check.

And for the first time the entitlement also grants you the ability to enable this mode on unmanaged, unsupervised devices.

Of course, we do have a safe escape on unmanaged unsupervised devices where you can simply reboot the device and exit this mode.

9.3.2 also added a new restrictions key to prevent users from disabling or enabling diagnostic submission, which you may have set via MDM.

Now let's talk about iOS X.

In iOS X we updated the contacts, exchange, Google, and the LDAP payloads to include a new key for communication service rules.

We saw earlier this week the new VoIP extension support in iOS X.

And what this key allows you to do is specify a default application to be used when making audio calls to contacts from these accounts.

The lock screen message payload has been updated with new key names as well.

Of course, it remains completely transparent for administers creating such payloads, but we like MDM vendors to adopt these new key names as the old ones have been deprecated.

The VPN payload now has support for EAP-only authentication for IKEv2, as well as the ability to specify a timeout for IPSec.

PPTP has also been removed from iOS X and macOS Sierra, and existing payloads will not work.

The Wi-Fi payload saw some updates as well.

You can specify if you want to bypass captive network detection and Cisco fast lane quality of service marking.

And for those of you who know what it is, it's fantastic.

Finally, the restrictions payload now has a key to prevent users from toggling Bluetooth.

Now, this is extremely important in the Classroom case since Classroom relies on Bluetooth to connect its student and teacher devices.

So here are some restrictions that were introduced before supervision was created.

And we talked last year about how in a future iOS release we'd like to deprecate these and these would stop being enforced on unsupervised devices.

Now, that future iOS release is not iOS X, but we promise we are going to get rid of them very soon.

So please note that these will stop being enforced on unsupervised devices.

Next let's talk about macOS.

Earlier this year we introduced the ability to install software updates from major OS releases on Macs enrolled in the Device Enrollment Program.

This is going to be great come this fall when macOS Sierra is released where you'll be able to install it on all Macs enrolled in Device Enrollment Program in your education or Enterprise.

New in macOS Sierra we also introduced a new configuration profile payload to configure the IP firewall and added some new updates to the restrictions payload.

We brought some keys back to the Mac from iOS, such as Apple Music, iCloud Keychain and iCloud Photo Library, as well as added some that are specific to the Mac, such as Back to My Mac, Find My Mac, and sharing to Notes, Reminders, or LinkedIn.

It's been my pleasure to walk you through some of these great features we've added this year.

And with that, I'd like to turn it back to Todd.

Thank you.

[ Applause ]

Great job.

Thanks. All right.

Thank you very much, Shubham.

Let's turn to our final section today on tools.

And of course, the most exciting new tool this year is Classroom.

We talked a little bit about it earlier and it offers some amazing new features, that small, carefully curated set of features for teachers in the classroom.

But instead of hearing me talk about them, you can read the list on the slide.

I'd like to ask Shruti Gupta to come on up and give you a demo.

Shruti?

[ Applause ]

Thanks, Todd.

I am so excited to show you one of our coolest apps, Classroom.

What you see here is a teacher iPad that is running Classroom on it.

And there are a bunch of student iPads that are configure as Shared iPad.

And all my students are sitting right here in front row.

When the class begins, the teacher assigns students to the iPads and then students log in with their pass code.

For this demo the students are already assigned and logged in since you've already seen the log in process during David's demo.

Now, let's assume that I'm the teacher of the class and today we'll be learning about healthy eating.

And for that I found a really great article that I want to share with all my students.

So I'm going to tap on Navigate, Safari, Favorites, and select the healthy eating article.

And it's navigating; it's opening the URL on all student devices.

Okay. Looks like one student is offline right now.

But if you look at the Classroom app, you can see that Classroom app created a dynamic group called Safari, indicating that all students are now using Safari, yeah?

And if you tap on the screens, we can see that article open up pretty much on all student iPads.

And I guess some are already trying to do something else.

Kids, pay attention to the class.

[ Laughter ]

So for the next activity let's say I want to divide the students into smaller group.

So I'm going to tap on Class button to create a group, add a bunch of students by tapping on their names, and give the group a name, let's say Greens.

Now when I launch this particular group into activities specific for them, let's say I want Green's group to make a list of green vegetables.

I will open Notes app for them so they can start working on their activity.

Okay? And while students are working or their task, I want to see how they're doing.

So I'm going to go back to all student group and observe their screen.

And it seems that Edison is not paying attention in the class.

Let's take a closer look.

I'm going to tap on Edison, tap on View Screen, and clearly she is not working on her assignment.

So I'm going to go back.

Now I can either lock her screen by tapping on the Lock button to get her attention back in the class, or I can lock her iPad into Notes app by sliding the Lock button and tapping on the Notes so she remains focused on her task.

Once the class ends, I can bring an end to the class by logging out all the students iPads by tap on the Log Out button.

And all the students are now logging out.

Thank you.

Back to Todd.

Thank you very much, Shruti.

It was great of you to all cooperate in this amazing stress test of Classroom with the most iOS devices it's ever seen before.

Thank you very much.

So what did we see?

We saw Shruti use Classroom to open an app on all the student iPads, create and edit manual groups in addition to the dynamic groups that Classroom creates automatically, lock a student into an app to focus their attention, view the students' screens to monitor what they're working on and redirect as needed, including locking their device if they get off track.

So a few brief notes about some other tools that we make available to MDM vendors, some simulators for the Device Enrollment Program and Volume Purchase Program, which are a great way for them to test their implementation of the API's for those services, especially handling service errors that may be very difficult or impossible to simulate any other way with the real production service.

The simulators have been updated to support all of the new features we've talked about.

And as always, they're available for download on the Developer portal.

And I strongly encourage you to download and make use of them.

That brings us to the end of our content.

Just a few summary slides to cover the key points for administrators.

If you're a school administrator, sign up for and use Apple School Manager to manage the people, devices, and content in your school.

Everyone can use the DEP program for wirelessly enrolling in their remote management system of choice, or you can also use Configurator to enroll in MDM or to combine the two using Configurator's automated enrollment feature that allows you to connect devices to Configurator and complete the setup assistant based on the DEP settings without having to touch each device.

If you're a school and doing shared deployment, use Shared iPad with Managed Apple ID on those devices and everyone can use VPP managed distribution to distribute apps to devices or users depending on whether you want to allow your users to use those apps on multiple devices.

For MDM developers, please add support for the new features, including the programmatic association of Managed Apple IDs for use with VPP, as well as all the new features that Shubham talked about that are new in iOS X and macOS Sierra.

Updated documentation was released yesterday.

And please, again, do test with the DEP and VPP simulators.

Last but not least, you app developers, we want you to get your app's education ready by storing your app's data and preferences in the Cloud.

And you can simulate testing on a Shared iPad by testing using your app moving between two iPads.

And the session immediately following lunch about best practices will go into much more detail about what you need to do and how you can test it.

Speaking of which, this is the session I was just referring to.

Again, right here in a couple hours.

There's some great resources we make available on our website both for education at Apple.com/education and for Enterprise at developer.Apple.com/Enterprise.

I encourage you to check it out.

And finally, there are some additional resources, direct links to documentations, and other resources at our WWDC 2016 session-specific URL for Session 303.

And with that, I will thank you for your attention and hope you have a great rest of WWDC.

Thank you very much.

Apple, Inc. AAPL
1 Infinite Loop Cupertino CA 95014 US