What's New in Device Configuration, Deployment, and Management

Session 304 WWDC 2017

Platform features and tools make it easy to configure, deploy and manage Apple devices in organizations of all sizes. Discover new and updated configuration capabilities for each platform, updated app deployment techniques and tool changes that make low-bandwidth updates more accessible. Learn how educational institutions can use the advancements in Apple School Manager and Classroom to make configuring student devices even easier.

[ Applause ]

Good afternoon.

Welcome to Session 304, What's New in Device Management.

I'm Todd Fernandez and I'm very pleased to be your host on this tour through new developments and how Apple devices can be managed in schools and businesses around the world.

I just love this photo.

As Tim said on Monday, iPad has changed the way we teach, learn and create, which is why we work so hard to make it easy to bring Apple devices into schools so that students like these girls can do amazing things with their iPads or Macs as the case may be and get excited about learning and creating.

We also want to unlock new solutions in enterprise to help employees be more productive and enable businesses to create new ways of serving their customers by providing experiences in their hotels, restaurants and hospitals that were not previously possible.

Last year, we introduced three huge new device management features to support iPad deployments in schools.

Classroom, an assistant which helps teachers focus on teaching rather than managing student devices.

Shared iPad, a great way to provide a personalized experience on an iPad shared by many students each day in the classroom.

And last but not least, Apple School Manager, one place for school IT administrators to create and manage all of their schools' accounts, devices and content.

Just like 2016, 2017 has already been another big year for device management as our releases earlier this spring continued to address the most important needs in education and enterprise.

Introducing many more capabilities to management via MDM and configuration profiles.

Connecting Apple TV fully into device management and conversely removing the management requirement for classroom by empowering teachers to create their own classes bringing Classroom to a much wider audience, including enabling schools with bring your own device programs around the world, good day Australia, can take advantage of Classroom.

But of course, we didn't stop there.

Today we'll announce a number of additional capabilities in each of these areas to enable people to make use of Apple devices in new and exciting ways.

I don't want to spoil the surprises so we'll cover each as it comes up during today's session.

As has become tradition, today's session will follow deployment lifecycle, beginning with enrollment, getting your devices ready to be managed.

Continuing with distribution, loading those devices with compelling apps and content.

Management, performing the ongoing day-to-day management of all of your devices.

And finally, I'll give a brief update on Apple's tools for both administrators and our MDM solution partners which take advantage of all of these new features.

In a break from tradition, I will mostly serve as an emcee this year and leave the presentation to the engineers who have designed, built and tested all of the new capabilities we will cover today.

We have so much to share I've brought along a supporting cast larger than the Game of Thrones, well okay seven engineers, to help me get through it all.

But I promise that we will conclude in less time than it takes the Oscars.

So, without further ado, I'd like to ask Bob Whiteman to come on stage and get us started by telling you all about how we've improved enrollment this year.

Bob.

[ Applause ]

Game of Thrones, will we make it through the season, who knows.

I'm Bob Whiteman, one of the Apple engineers responsible for the new device management features you'll see today.

In this section, you'll find out about major additions to Apple TV management, new features of the Device Enrollment Program, security enhancements of the MDM protocol, best practices for MDM administrators and MDM server developers, and a major update to Apple School Manager.

First of Apple TV.

I'm happy to say that Apple TV can now participate in the Device Enrollment Program.

[ Applause ]

Apple TV devices have all the same features as iOS devices, zero touch configuration, streamline setup, and wireless supervision.

You plug in power, an ethernet and the device is automatically configured, you don't even need the remote.

There's also a change to the supervision of Apple TVs, previously all Apple TVs were treated as supervised now they are unsupervised by default.

If you don't want the elevated privileges of supervision you don't need to claim them.

We've expanded the Device Enrollment Program with a new way to introduce devices into the program.

Previously, DEP only supported devices that were purchased from a supported sales channel.

Now you can also enroll your own devices in DEP regardless of how you purchased them.

This will particularly help schools that received donated devices.

[ Applause ]

Now this new enrollment method differs in two ways.

The first is that the device is always supervised and MDM management is always mandatory.

The second is a 30-day provisional period, when you add a device to DEP it erases the device.

Then the provisional period starts when the device is subsequently activated.

During the provisional period the lock screen and setup assistant indicates the device is provisionally enrolled and the user can remove the device from DEP and set up assistant or settings, which also erases the device.

But after the 30 days expire, the user can no longer do so.

Both during and after the provisional period all DEP features are available, including streamline setup and mandatory MDM enrollment.

Now let's switch over to the other DEP enrollment method.

When you add a device to DEP while purchasing the device from an approved sales channel, the device does not need to be supervised and MDM management can be optional, which lets the user opt out of MDM management.

But only a vanishingly small number of devices are in this state and it was always kind of an odd fit for DEP so we're deprecating these.

In the future, all DEP enrolled devices will need to be supervised and MDM enrollment will be mandatory.

And here's a little housekeeping, with each new release of iOS there are new panes in the setup assistant.

DEP configuration allows you to skip these panes, so these are the new skip keys.

I won't go over each one of these, but let me mention that the keyboard user's pane only appears on devices which are non-US English regions, such as China and Japan.

Moving on to some security enhancements.

In iOS 10.3 we introduced partial trust for manually installed certificates and certificate profiles.

When a certificate has partial trust, it is trusted for all purposes except SSL.

When a certificate is installed noninteractively via MDM or Configurator the certificate is given full trust, but if it's installed manually the certificate gets partial trust at first.

The user can go to Settings, About, Certificate Trust Settings and enable Full Trust which gives an appropriate additional warning.

Now this is a speedbump that gets users to reconsider whether they should trust whatever certificate they have just been asked to trust.

Often MDM enrollments require trusting the MDM server certificate.

To avoid complicating MDM onboarding we put a small gap in the speedbump.

If the certificate is manually installed by a profile that also contains an MDM payload that certificate is given full trust.

So, if your MDM deployment requires trust, make sure you're distributing the certificate in the same profile as the MDM enrollment payload to make sure that you're driving your users through that gap in the speedbump.

In 2018, MDM will require your server to support App Transport Security or ATS.

This is a set of security requirements for secure communication introduced previously.

ATS requires specific protocol details and cryptographic algorithms to harden secure communications.

For now, MDM is exempted from ATS, but this exemption will be ending in 2018.

If your MDM server does not currently meet ATS requirements in the future the MDM client will refuse to communicate with it.

But regardless of that, the time to update your MDM server is now.

After all, these changes are a good idea for security, whether or not the device requires them.

MDM enrollment involves a SCEP server to generate the device identity.

This involves negotiating the cryptographic algorithms used for encryption and hashing.

We've dropped support for the outdated DES algorithm.

And make sure you SCEP server advertises its capabilities properly in the CA Caps field.

A couple of MDM servers out there didn't and that forced the MDM client to fall back to the lowest quality algorithm triple DES even though the SCEP servers in question supported better algorithms.

And on that note, add support for the best algorithms which are currently AES for bulk encryption and SHA-512 for hashing.

On the macOS side, we've hardened the server certificate evaluation for MDM communication in High Sierra.

This involves three new keys in the MDM enrollment payload.

The first two keys specify white lists of certificates to use when evaluating server trust.

One set for the server URL and the other for the checking URL.

The third key specifies hard or soft revocation checking on those pinned certificates.

Hard revocation checking means that the trust evaluation fails if the device cannot get a positive response from the revocation server for any reason.

Now these are generally good security features for securing communications, but if you're only administrating Macs this can be particularly useful it can save you the cost and effort of getting a certificate for a public CA.

Just remember to be particularly careful when rolling out these features, especially pinning the server URL certificate.

A misconfiguration could cut off your Macs from communicating with your MDM server which makes it very difficult to correct the misconfiguration.

I'd like to share some best practices for administrators.

For those administering Shared iPad, please enable diagnostic submission using the diagnostic submission command.

This lets us collect the raw data that we need in order to help us improve the product for everyone.

Also for Shared iPad there's an interaction between the user quota setting and the APFS file system.

A user quota controls two different things.

It sets a maximum number of users that can have data stored on the device and it ensures that individual users aren't consuming too much file system space which would crowd out other users.

If you already have Shared iPad devices with the user quota that second control of storage space is effectively disabled by the upgrade that APFS introduced in iOS 10.3.

There's a one-time administration task to restore the storage quote.

Upgrade to the latest iOS and wipe all of the existing user counts on the iPad.

You can either erase the iPad and set it up again or use the delete user command.

And don't forget to shut down the iPad after you're done so that it's ready to go when the users first get it.

If you're using startup profiles on macOS you've been putting the profiles in a special location in the file system this is now deprecated.

Instead, there's a new option to the profiles command line tool that lets you specify startup profiles, the details are in the main page for the profiles command.

And now some best practices for those of you that are implementing MDM servers.

I just mentioned how useful the diagnostic submission command is, so please make sure that your server supports it.

In 2018, APNs tokens will likely increase in size, verify that your server can handle APNs tokens up to 100 bytes in size.

Don't just hardcode the size of APNs tokens that you've been receiving from devices.

When the MDM server generates its enrollment profile limit it to just the MDM payload and payloads necessary to ensure that the enrollment succeeds, such as Wi-Fi payload or certificate payload.

Don't use this profile to configure other things like restrictions or accounts, instead push those payloads after the enrollment completes.

And last, I'd like to challenge MDM solution providers to make the life of an administrator easier.

Device management provides a large number of individual controls and we're adding more with each new release.

This makes device management powerful, but complex.

Administrators may not know all of the details of how these controls interact and that raises the risk of a misconfiguration.

For instance, an administrator may restrict the App Store to prevent unauthorized apps, but not realize that they should also restrict pairings so that apps can't be installed with Configurator or iTunes.

So, do what you can in both documentation and software to meet administrator's needs, not just allow them to set settings.

If you're troubleshooting device management problems I have some tips for that.

Your best source of information is the system logs.

You can view them with the macOS apps Console or Apple Configurator 2.

On iOS, filter the logs by process name to hone in on the most useful messages.

Profiling is responsible for installation and removal of profiles and restrictions and other things.

MDM is responsible for communicating with the MDM server and tracking management of apps, systems and accounts.

If you have a device that's not communicating with the MDM server you want to examine mdmd.

DMD relays management commands to other parts of the operating system.

And appstored installs and removes apps and if those apps come from iTunes itunesstored is involved as well.

So, when you're looking through the logs your best bet is to look for log messages of error type first and if nothing jumps out at you look at the warning level as well.

On macOS, don't filter the logs by process instead, filter the logs by setting the subsystem to com.apple.ManagedClient which covers all appropriate processes.

But for both operating systems you may want to install a debug logging profile to get more detailed information.

Just remember the caveats involved when using debug logging.

For instance, don't habitually push the logging profiles to all the devices in your population.

If you have any troubleshooting questions make sure to come to the lab sessions.

And now I'm going to turn it over to my colleagues, Can Aran and Juan [inaudible] to demo some of these.

Can.

[ Applause ]

Hello, I'm Can Aran, iOS engineer in the device management team and I must say I'm very excited to be here.

I will be using Configurator, Apple Configurator 2 to enroll this device and let's get started with that.

I'll choose the device, right-click on it and hit Prepare.

In the new version of Configurator, we have this option to add the device to Device Enrollment Program, so we'll check that and hit Next.

Just a quick note, I had already logged in to my DP Organization Configurator prompted me for that and saved my credentials.

Here we can specify our MDM server, we can enter our organization information, and we can skip these steps in Setup Assistant and we will need to provide a Wi-Fi profile for the device to be able to communicate with the server.

And we may enter our credentials for the MDM server, but we do not need to for now.

So, once I hit Prepare here device will get added to DEP and after that it will erase itself which will take some time to land on Setup Assistant.

So, for the sake of our time we'll use another device to go through Setup Assistant.

This device is already added to DEP beforehand.

So, let's hit Prepare and switch to the other device.

All right.

So, we have a new pane for Device Enrollment now it's called Remote Management, can see the details about what Remote Management does here and also, we can remove the device from DEP by just clicking on Leave Remote Management button.

This button will appear in the first 30 days of enrollments as my colleague Bob said.

Once we hit that it will remove the device from DEP.

Also, this button is there because we would like to protect our users, we don't want our users' devices to get added to DEP without their consent or accidentally.

So, let's apply the configuration by hitting Next and let's enter our secret credentials for the MDM server.

And let's read the terms and conditions as I know every one of you do.

And that's it device has the configuration that has been specified by the MDM server and it's been added to DEP just as if it was purchased from a supported sales channel.

So regardless of how the device is purchased it can be added to DEP now.

Now that I have enrolled my device I would like to invite my colleague Juan [inaudible] to stage to show you how this connects to Apple School Manager world.

Thank you.

[ Applause ]

Thank you Can.

Hi, my name is Juan [inaudible] and I'm the UI Manager for Apple School.

And today I'm really proud to show you the latest version that came out of preview on May 17.

But for those that are not familiar with Apple School what is Apple School?

Apple School is your one destination for your institution to manage your devices, accounts, and content.

So, these are some of the new features that came out in the latest release.

We have a new streamlined user interface, the ability to create up to five administrators and support for PowerSchool.

But nothing better than a demo to show you our new streamlined user interface.

Today I'm going to be an administrator at my organization and I'm going to start talking to you guys about managing devices.

Can just enrolled two devices to the DEP program and you can see the two devices up here on devices added by Apple Configurator 2.

And we just realized that I should have assigned one of those devices to this MDM server in a different location.

So, let's do that.

I'm going to search for my device, here is the last iPad that he added to the DEP program.

And I'm just going to switch it to Abraham Lincoln Elementary, click Done and now I'm ready to wipe that device and the next time it boots up it's ready to start to be managed by his new MDM server.

Now let's talk about managing your accounts.

So, imagine the following scenario, it's the beginning of the school year in at Abraham Lincoln Elementary and we have a new group of students, of first-graders.

So, we need to create new credentials for these students.

So, let's do that.

I'm going to navigate to locations, here's my elementary school, now I want to see the accounts related to this school.

Notice that my filtering UI is now visible.

Now I just need to add a couple filters, I want my students and my first-graders.

As you can tell, I've been changing the search results have changed and there's this first row that allows me to select all the students in this filter.

On your right, you can see several different bulk actions that I can execute as an administrator.

Now let's create a sign-in sheet for these students.

You might be wondering why a sign-in sheet, well it turns out that most first-graders don't have a phone number or an e-mail address so we need this alternative method to distribute the credentials.

So, let's do that.

All right, I select Create, a create a downloadable PDF and CSV and this starts a process that we call Activity.

An Activity it's a way to track background processes or long-running jobs.

Now I just jump to the Activity path and you can see here the creation of the sign-in sheet.

As you can tell, I've been very busy today, it's the first day of the school so I had to delete some accounts, create sign-I sheets for other students, change the password policy of some accounts, add new roles, and also I had some problems with some of the operations.

This also allows us to be able to be able to notice any problems that we have to our process of administrating.

Creating our new sign-in sheets is almost over.

So, I'm just going to wait for a second.

Now I'm ready to download that sign-in sheet.

So, I wanted it in an 8-up PDF format because I want to save some paper.

I download it and here is the sign-in sheet for my new students.

So that was easy.

Now let's talk about managing your content.

Currently, I can navigate to Apps and Books and here I'm presented to a link that will take me to the Volume Purchase Program.

In the Volume Purchase Program website, you will be able to purchase applications and iBooks in bulk.

I'm really happy to announce today that we are working on integrating the Volume Purchase Program into Apple School and it's coming before the end of the year.

Now let's look what it looks like.

Here's a screenshot that is showing you the inventory of applications of all devices that you have purchased for the Apple School district.

You see the ones that are available, all the ones that are in use.

And then in this next screen you are seeing that I'm trying to purchase an iBook, 50 licenses of it and assigning them to Covington Charter School.

Now let's have Todd talk to you more about the details of this new distribution model.

[ Applause ]

Thank you very much Juan.

As some of you may have noticed, we've now included the enrollment section and moved into distribution now that we're talking about volume purchase.

However, I wanted to reiterate that the new Leave Remote Management button at the bottom of the new Remote Management pane in Setup Assistant only appears during that 30-day provisional period after adding devices to the Device Enrollment Program using the new feature that Can demoed.

Devices that have been added by purchasing directly from Apple or through a reseller which supports the Device Enrollment Program there's no change and that button will not appear.

So, we have a short agenda for distribution, but it's a really big topic upfront Volume Purchase Program fully integrated into Apple School Manager.

And I will go into a bit more detail and cover a few additional features and a brief update about changes to installing apps and managing them on tvOS.

So, Juan has already shown you the beautiful new updated UI in Apple School Manager which went live last month, as well as a sneak peek into how Volume Purchase Program will look once it's integrated into it.

We are also making it much easier to manage multiple locations, tokens, and licenses within an organization, including supporting transferring licenses between locations so that your content managers no longer will need to share credentials.

All of this will be available very soon as Juan mentioned, but there is a bit of work for MDM vendors to do to support license transfer in particular, which again I'll cover today.

So, for a long time we've heard some customer feedback around the difficulty in managing multiple VPP accounts so we wanted to make it much easier for schools to organize their purchases and manage them in an intuitive way that matches their organizational structure.

So, with these updates purchases are now associated with a location rather than the personal inventory of individual content managers.

Multiple content managers can purchase apps and books for a single location and all licenses for that location will be managed with a single token.

So, there's no longer a need for a token per content manager.

Each content manager through that token can then manage all licenses that are associated with that location, meaning that if a content manager leaves any other content manager can continue to manage all of those licenses.

Just illustrate this with a simple animation.

Now I have two different content managers each of them buying some apps and buying some books.

There's a token that either one of those managers can download from the Volume Purchase Program and upload to their MDM server to allow it to manage those licenses and assign them to users and devices.

Another bit of feedback we've gotten is the request to be able to transfer licenses that were purchased in one area to a different area.

And so, we have now added support for transferring licenses between locations which are now tracked with a single token.

Apple School Manager of course will show the accurate number of available licenses at each location as these transfers take place.

Any licenses which are currently available and not assigned can be transferred at any time.

But if they're licenses that are already assigned to a user or device those can't be transferred because of course, those users and devices are associated with that location as well and it would disrupt your deployment.

So, if you do want to actually transfer those licenses you can revoke them, the current assignment, making them available for transfer.

And simple animation we've got two locations each represented with its token to manage their apps and books and we can transfer apps from one location to the other.

And each location continues to be managing those licenses, so if location one is at one MDM server, location two another MDM server they can continue to manage the appropriate app and book licenses.

Another sneak peek, this is what it will look like once it's integrated in Apple School Manager showing you for each app that you've purchased the licenses for each location and making it very easy to then select the location and transfer some of those licenses to another.

So, now I'd like to highlight what we need and our MDM partners to do to support license transfer and these new features.

So, the first is now that a location and token have a one-to-one relationship as tokens expire or otherwise become invalid it's going to be important to make it easy for admins to identify which token needs renewal by making clear which location this token is for.

And our API calls that you're already using to get information about the Volume Purchase Program have now been enhanced to provide that information to you so that you can update your UI appropriately.

Now that multiple content managers can download the same token for a location you need to also be prepared for a content manager to inadvertently upload a duplicate token and handle that appropriately so that you don't duplicate the license count.

Similarly, now licenses can be transferred outside of your MDM server's knowledge in Apple School Manager.

So, you need to be prepared to refresh your license counts when you update your UI.

Finally, when is this all coming?

We're working hard on preparing the documentation update, as well as testing support which will be available soon and releasing later this summer so that you can help us and our joint customers in schools be ready for back-to-school deployment.

That concludes our section on Volume Purchase Program and now I'd like to do a couple of updates on tvOS.

It's now possible to install enterprise apps on tvOS, as well as manage them using Managed App Configuration.

A great feature that we've had in iOS for a number of years is now available in tvOS as well to configure your apps after you deploy them.

And that brings us to the end of our distribution section, so I'd like to ask Pradhap to come up on stage and take you through the management section.

Pradhap.

[ Applause ]

Thank you Todd.

Hello everyone, good afternoon.

I'm very excited to be here to walk you through all the great management features that we added since we met the last year.

First, let's get started with iOS.

Preparing a large number of iOS devices, especially with a lot of apps and books using a Wi-Fi network has always been a challenge.

It makes a Wi-Fi network unusable and more often, administrators had to set up a dedicated Wi-Fi network just for preparing devices.

To solve this, we added a new option to all the MDM commands using which the administrator can specify that the device has to be connected to a wired network like Internet sharing or USB or an ethernet connection to perform a command.

This combined with content cashing on macOS is going to significantly improve the setup experience for iOS devices.

MDM already has the ability to install software updates on DEP devices without a passcode.

We improved that and added support for passcode lock devices and supervised non-DEP devices as well.

We realize that in most cases when a device with an app or [inaudible] is erased the data plan shouldn't be erased as well, so we added an option to the erase device command to specify the data plan preference.

Before I move on I would like to point out that the features that are marked with the new badge are new in the upcoming iOS releases that we announced in [inaudible] this week and all the other features [inaudible] earlier this year.

And also, if you see a new badge on the upper right corner of the slide everything on that slide is new.

Next, let's talk about Lost and Found.

All the users love our devices, but sometimes they go missing.

MDM already supports putting a device in loss mode and also query the location of the device when the device is in lost mode.

We also added support to play a sound when the device is in lost mode.

And we updated the device location query to include all the location attributes that you would expect from a location APA.

Like devices apps go missing as well, so we added a new restriction to prevent users from deleting system apps accidentally on their device.

This is especially great for shard use devices where the App Store may be disabled.

We continuously add new features to help enterprises keep their data safe.

Starting with iOS 10.3 administrators can restrict the list of Wi-Fi networks that the device can join to just the Wi-Fi networks that are configured by MDM or our configuration profiles.

Thank you.

And starting with iOS 11 the Wi-Fi restriction exempts carrier profiles.

We recommend that you push the Wi-Fi restriction together or after the Wi-Fi payload, otherwise you run the risk of devices losing connectivity to MDM server.

We also added a new restriction to disable users from creating their own VPN configurations.

MDM already supports configuring, signing and encryption identities for exchange and mail, but there was only one global switch to turn both signing and encryption on or off.

We improved that and added a new key so that you can control signing and encryption independently.

We added three new restrictions to Classroom to make the expedience of unmanaged classes on supervised devices on par with managed classes.

The first new restrictions enables an instructor to observe a student's screen and perform an app or a device log without prompting the students just like managed classes.

And the last one causes the students to automatically join classes without prompting them every time.

With iOS 11 we made a lot of improvements to the AirPrint payload.

The AirPrint payload now supports configuring custom port and also specify whether TLS is required on a per app and destination basis.

In addition to the improvements to the payload we also added four new restrictions to configure global AirPrint options.

The first restriction can be used to disable iBeacon discovery of AirPrint printers.

And the second one can be used to disable storage of AirPrint credentials in Keychain.

You can also require TLS for all AirPrint connections on a device.

And finally, you can disable AirPrint completely on a device if you have to do so.

As you may have heard earlier this week, iOS 11 supports a new extension using which apps can provide a DNS proxy and we added a payload just to configure that.

The new DNS proxy extension payload can be used to configure the bundle ID of the extension that should be used as DNS proxy and also provide any custom configuration that the extension might need.

The cellular payload now supports configuring Internet protocol versions for cellular connections.

Like iOS we also added a lot of new features to macOS to improve the setup experience.

The new system migration payload can be used to configure custom migration paths for migration from Windows to Mac.

We also added a new payload to configure smart card options on Mac.

This payload can be used to restrict one smart card per user, required trusted connections for smart card and also disable smart card usage on Mac.

We improved the 802.1X payload adding the ability to provide a default configuration for ports that doesn't have an explicit configuration.

Starting with macOS High Sierra administrators now have the ability to delay the software updates on a Mac for up to a maximum of 90 days.

This is great for testing your software on the latest updates before users get their hands on them.

We also updated the software update query to include a date until which a specific update will be deferred.

Former passwords on macOS are equivalent to activation lock on iOS.

Starting with macOS High Sierra the former passwords can be completely managed using an MDM server.

Using the new commands the administrator can set a former password, query the status of the password change, and also verify that the password on the device is correct once the password change is in effect.

Thank you.

I would like to note that a reboot is required for the password change to take effect.

We also brought over the user management commands from iOS to macOS.

macOS now supports querying the list of local user accounts on the Mac and deleting user accounts.

macOS also supports unlocking a locked-up user account on Mac.

Extensions are a great way to add a lot of useful features on Mac, but we also realize that there is a need to manage this in an enterprise environment.

So, the new extensions management payload can be used to configure whitelist and blacklist of extensions that are allowed to run on a Mac.

The payload also has the flexibility to configure blacklist and whitelist on a per extension bind basis.

It can go even further and disable specific extension points or disable all extensions on Mac if you have to do so.

Once the extensions are set up as they need to be the new active extensions query can be used to query the list of extensions that are in use on a per user basis.

macOS already supports escrowing encrypted personal recovery keys to a custom server and starting with macOS High Sierra we followed that into MDM.

The new escrow payload can be used to configure the private key using which personal recovery should be encrypted.

And we also updated the security information query to retrieve the personal recovery key using an MDM server.

We also added a new restriction to disable iCloud desktop and documents.

We aggressively added a lot of features to tvOS this last year.

We set ourselves a goal to provide a great set of expedience for Apple TVs without ever touching your remote.

It is now possible to erase an Apple TV using Apple Configurator or MDM and enroll the Apple TV using DEP and Auto Advance like Bob talked about earlier, specify the name of the Apple TV, prevent the users from changing the name on the TV, configure allowed content restrictions, such as media ratings, specify the list of apps that are available on the TV, and also configure how the apps are laid out on the Home screen including folders.

Isn't that great?

Thank you.

Apple TVs are great for conference rooms and classrooms.

So, we built a new management feature to put Apple TV into a mode that we call Conference Room Display mode.

When in this mode Apple TV can be configured to display a custom message onscreen and the only thing the users can do is to [inaudible] the TV to share their displays.

We also added a new AirPlay Security payload using which administrators can configure the type of the security requirement for AirPlay.

This can be one of three options, one-time possible, a passcode every time or even a custom password which can be configured using the payload.

We believe this combined with AirPlay payload on iOS and macOS gives the administrators the ability to configure AirPlay with the greatest security possible and ease-of-use.

Apple TVs are also great for kiosks and dashboards, so we brought over the single app mode from iOS to tvOS and as you would expect, this payload can be used to log a TV to a single app.

To go along with this, we also added two new restrictions, one to disable users from pairing the remote app on their iOS devices with a TV and the next one to disable AirPlay on a TV.

Next, let's talk about some of the features that are shared across all the platforms.

VPN IKEv2 and Wi-Fi payloads now support configuring minimum and maximum TLS versions.

The install application list is now consistent on all three platforms and accurately reports whether an app is being installed or updated.

We now support Restart on iOS, tvOS and macOS and Shut down on iOS and macOS.

We already have a great support for test taking apps with automatic assessment configuration.

I'm happy to announce the automatic assessment configuration now includes five new restrictions without you having to make any changes.

Activity continuation, universal clipboard, dictation and in the upcoming release smart punctuation, and classrooms screen observation.

These are the set of restrictions that existed even before supervision was a thing.

And Todd has been warning you for the past two years that these are going to become supervised only and I get to tell you when.

Starting 2018 these restrictions will become supervised only.

With that, please welcome my colleagues, Graham and John on stage to demo some of the features that I've been talking about.

Thank you.

[ Applause ]

Thank you very much Pradhap.

I'm really excited to be here today to show you guys the latest management features for Apple TV.

In tvOS 10.2, we added a ton of great new features for managing Apple TVs and today with tvOS 11 we're expanding on that feature set.

While our Apple TV is currently booting so let's set the scene.

It's summer vacation and you've just received your order of Apple TVs and it's time to get them configured for the upcoming school year.

I've already set up a default MDM server in Apple School Manager so my devices have already appeared in my MDM server.

I've also gone ahead and configured the enrollment options that I'll want for today's demo, including the auto advance key and nonremovable MDM.

I've also added the device to a group that contains some of the settings that we're going to use today as well.

Those include a Home screen layout payload, we've hidden some of the default system applications and installed some enterprise apps.

So, it looks like we're still booting up here so let's talk about what's going on behind the scenes.

Once the device reaches the setup screen it will begin its activation process if it's connected to ethernet.

The device will check in with the activation server and if it's enrolled in the Device Enrollment Program it will download the cloud configuration file and look for that auto advance key.

If the auto advance key is found the device will begin its setup process and enroll in MDM.

So, it looks like we've just got another couple of seconds here before this reaches the screen.

So, I hope everyone's having a fantastic conference so far, woohoo.

So, we can see that our Home screen layout payload has been applied so we've got some of our default apps they're in a folder, most of the default system applications have been hidden, and we've got some enterprise apps that have been installed.

So, now that we're ready to go let's take a look at the new single app mode payload.

We'll go ahead and launch one of our enterprise apps in the single app mode.

For today's demo, we've got a foreign currency exchange app that shows us the exchange rate for the US dollar in various currencies around the world.

It looks like the Canadian dollar is doing pretty great today.

Yeah, Canada.

All right, but now let's say that we're managing Apple TVs in different countries around the world, they'll likely want to see that exchange rate in their local currency.

So, let's go ahead and install a managed app configuration and see what happens.

Now you'll notice that we're in Canadian dollars for our base currency, pretty cool hey?

[ Applause ]

All right, next let's take a look at the conference room display mode payload.

So, perhaps this Apple TV is being used in a conference room where we're doing presentations on a regular basis.

We can now remotely place the Apple TV in conference room display mode and as you can see, we can add a custom message for our users.

Hello WWDC 2017, wooo.

You'll notice that the conference room display mode has integrated seamlessly with single app mode payload, meaning that we can [inaudible] a room at any given time with either payload.

Finally, let's take a look at the AirPlay security payload that we added in tvOS 11.

We've got an iPad here running iOS, so we're going to go ahead and start an AirPlay session with this Apple TV.

You'll notice that we are prompted for the password that we defined in the AirPlay security payload.

While this is fantastic from a security perspective it's not as easy as we'd like for our users.

So now we've got a second iPad here that's got the AirPlay security or the AirPlay payload installed on it so let's see how much easier we can make this for our users.

So, now when we start our AirPlay session you'll notice that this is the only Apple TV that we can AirPlay to and we weren't prompted for the password.

This makes for a seamless experience for our users, it is also very secure for our institution.

And with that, I'd like to thank you very much for your time today and I'll turn the stage back over to Todd.

Thanks Todd.

Thank you very much Graham and Todd.

So, one reason we're so excited about all these new features is what some of you have already done with them and we want to just make it even easier for you to do those things better and we can't wait to see what you can come up with next.

I want to highlight one example that UC San Diego did at their new Jacobs Medical Center where they provide each patient when they enter the hospital with an iPad in their hospital room that they can use to monitor their care, as well as manage the entertainment options in the room on Apple TV.

Now with that last feature that Graham just showed they can securely connect pairs of patient iPad and Apple TV so the patient can't inadvertently interfere with the patient in the next room.

We're so excited about deployments like these that can really improve people's lives by giving them more control over their experience in a hospital and we can't wait to see what else you can do with them.

So that concludes our management section.

So, let's turn to a quick update on Apple's device management tools.

Of course, Apple Configurator and Profile Manager which we've updated this in seeds this week support all these new features.

And I'm going to talk a bit in more detail about those classroom and content caching in a moment.

But I also wanted to mention that we have created a new roster simulator as a complement to our existing DEP and VPP simulators that help MDM vendors test their implementation of our APIs for our deployment services.

The roster simulator will allow you to do that for Apple School Manager's APIs for obtaining accounts and class information.

So, we will be posting those very soon, we encourage you to download the roster simulator and the updated versions of the DEP and VPP simulators to make sure that your MDM solutions integrate really well with our deployment services.

So, this spring we shipped Classroom 2 which had a really critical new feature to make the audience much wider and allowing teachers to create their own classes.

We also now allow teachers and students to share documents and URLs with each other.

And of particular importance when the teacher needs a bit of peace and quiet feature can now mute the student devices.

Earlier this week we released or we seeded Classroom 2.1 which as Pradhap mentioned already, we've introduced a handful of new restrictions for supervised devices that allow schools which want to use teacher created classes on their supervised student iPads to achieve most of the behavior of managed classes.

And we've also added a new student activity view that appears at the end of each class session and it looks like this.

So, the teacher can get a quick overview of which apps her students used and most often.

Can easily see which app each student used and when.

Can look at any documents or URLs the students shared during the class session.

And also drill into each student to see which apps that student used and when.

So that's Classroom 2.1, try it out.

Next, content caching.

Now the caching server has been an important feature for schools and businesses to optimize their download bandwidth usage and it's been part of macOS server for years so why do I have a new badge up there?

Well that's because it's now built right into macOS High Sierra making it much easier for it to be used even more commonly in schools and businesses.

We also now have UI for the caching server and the new tether caching service that we soft launched earlier this spring in macOS 10.12.4 so that it would be available in time for summer's preparations for the next school year.

But instead of talking about it more I would love to have Nolan Astron [phonetic] to come up and demo it to you.

Nolan.

[ Applause ]

I'm Nolan Astron, I'm a software engineer at Apple and today I'm going to demo for you tethered caching.

Tethered caching has three main pieces to it.

It provides a wired Internet connection to all the USB connected iOS devices, it instantiates the content caching service on the Mac, and it funnels all the network traffic of those tethered devices through the content caching service when downloading cachable Apple content.

To enable this feature, you're going to want to pop into the sharing pane of System Preferences and you're going to want to have the Share Internet Connection checkbox checked and the Content Caching checkbox checked just like I do here.

[ Applause ]

Those iOS devices they can be plugged in at any time, but this feature really shines when those iOS devices are enrolled in MDM.

When an MDM enrolled iOS device becomes tethered it automatically checks in with its MDM server and sees if it has any commands to process.

If a particular command requires the network it's going to use its USB interface instead of its Wi-Fi interface when leveraging the network.

This feature is extremely useful when provisioning a large number of iOS devices with overlapping cachable Apple content.

All right, so in front of me I have four iPads hooked up to a tethered caching station.

Eventually I'm going to download the same app to each one of the devices.

But while I do the download I'm going to show you a little tool that I built that's going to monitor the network activity of the Mac's Wi-Fi interface and of the Mac's USB network interfaces.

On the left-hand side, you'll see a meter for Wi-Fi and on the right-hand side, you will see a meter for USB network activity.

So right now, I'm going to download the app to the first device.

You'll see that both the Wi-Fi and USB network activity are required to process that download command.

The Mac needs to download the asset from the Internet and it needs to push it to the device over USB.

All right, cool.

Well now that the app is cached I'm going to download the same app to the remaining three devices.

Awesome. You'll see that for all the remaining downloads of that same app there's no network activity on the Wi-Fi interface required.

The Mac already has a cached copy of it and all it needs to do is push that cached version to the devices over USB.

And just to be clear, it's not required that one iPad download the app before any other ones that was done strictly for demo purposes.

So why are you going to like this feature?

Well we think you're going to like the tethered part of tethered caching because it's going to move the network bandwidth required for provisioning a large number of devices off your Wi-Fi network leaving it usable for the rest of the connected clients.

And we think you're going to like the caching part of tethered caching as it will significantly reduce the amount of bandwidth necessary to provision your iOS devices.

Thank you for watching and I'm going to hand the stage back to Todd.

[ Applause ]

Thank you very much Nolan.

I do want to apologize that we forgot to install the Siri profanity filter restriction on this session, but we'll take care of that.

So that brings us to the end of our tools update and I just want to quickly sum up as we wrap up our time together with a couple of notes for app developers.

Now that we support managed app configuration for tvOS apps too, please make sure your apps are supported.

For those of you who would like to sell a lot of copies of your apps into education, make sure that they're good customers for Shared iPad by storing all the data that you want to persist in the cloud, whether it's iCloud or your own third-party cloud solution and don't rely on backup or local data which won't survive logging into a different device.

Once you've done this work you can also take advantage of the option in iTunes Connect to mark your app as optimized for Shared iPad again, making it more interesting to education customers who might want to buy hundreds or thousands of copies of it.

Finally, if your app has a strong dependency on network traffic and latency, take advantage of some of the Cisco Fastlane options to optimize that traffic and there's a lab tomorrow that I will highlight in a moment where you can get help with that.

For MDM vendors, of course we want you to support all these new features and we'll be in the lab after this to help you with any questions you have.

I would also like to encourage you to adopt all the security enhancements that Bob talked about during the enrollment section.

For administrators, take advantage of all these great new capabilities to build compelling new deployments that link iPads and Macs and Apple TV just like UCSD has and come up with some amazing things that no one else has thought of.

And finally, be ready, yes Pradhap stole my thunder, but next you need to be ready for those restrictions to be supervised only and honored only on supervised devices.

So, we had a lot more information, documentation, help guides for the tools, all kinds of information at the session link, session 304.

We have a couple of sessions still happening this week that you might be interested in.

There's a What's New with Screen Recording tomorrow morning that if you're building tools for remotely assisting customers that there's some very interesting technology in the new version of ReplayKit.

And we talked a little bit about kiosk and assessment apps, but there's a whole session about that tomorrow afternoon if you're interested in that, I encourage you to check that out.

And with that, I will thank you very much for your attention and hope you enjoy the rest of the WWDC.

Thank you very much.

Apple, Inc. AAPL
1 Infinite Loop Cupertino CA 95014 US