What’s New in Managing Apple Devices 

Session 302 WWDC 2018

Learn about new management capabilities for iOS, macOS, and tvOS, tool evolution over the past year, and important changes coming this fall. You’ll discover how new MDM features help administrators manage devices more effectively, how educators can enhance the classroom learning environment, and how app developers can make their app a better fit for education and enterprise customers.

[ Music ]

[ Applause ]

Good morning, and welcome to What’s New in Managing Apple Devices.

I’m Todd Fernandez, and I’m very pleased to be here with all of you here in the hall this morning, as well as those of you watching this video now or in the future.

I’d like to cover all the things that have changed in the past year, since we last did this at WWDC 2017.

But, before we dive into all of those details, I want to take a moment to take stock of how far we’ve come.

This year, we are very proud to celebrate 40 years of Apple in education.

And, it’s fascinating to see how much has changed.

From the audacious goal of an Apple 2 in every school in 1978, to an iPad or MacBook in every student’s hands in 2018.

But, it’s even more important to consider how much has remained the same over those tumultuous 40 years.

Apple had a unique insight into how technology could inspire people and unleash their creative genius.

And, we believed technology could help teachers deliver unique and personalized experiences to all of their students.

We have never stopped believing in this goal, and never stopped working hard to achieve it.

Over the years, we have created a number of tools to make it easier for schools to put Apple devices into the hands of each of their students.

And, I want to highlight one of those now.

Classroom is now two years old, and teachers really appreciate the power it puts at their fingertips to accelerate teaching and learning without technology getting in the way.

But, we want to provide our tools on whichever OS our customers choose.

So, we were excited to announce at our March education event, that Classroom was coming to the Mac.

And, it looks like this.

I think Classroom looks fantastic on the Mac.

It has the same great feature set already available on iPad, plus some surprises.

But, instead of describing those to you, I’d like to invite Curt and Raheel up to actually show them to you.


[ Applause ]

Thanks, Todd.

Team’s been working hard to bring the great Classroom experience to the Mac, and we’re thrilled to share it with you today.

To get started, I can just go to Launchpad, and click on Classroom.

As you’d expect in a Mac app, all the actions in Classroom for Mac are available in the toolbar, from menus, and with keyboard shortcuts.

For example, I can hit Command-T to bring up my teacher info.

Oh, that photo’s a bit much.

Let’s go with something a little more laid back.

That’s better.

I can hit Shift-Command-N to bring up a new Class sheet.

We have all the great icons and colors that teachers use in Classroom for iPad.

I have enough Classes for this demo, so I just hit Escape to dismiss that.

In the Classes view, I can drag and drop to rearrange my Classes.

And, I can just double-click to start a Class session.

In a Class session, we have all the actions that teachers expect from Classroom for iPad.

They’re available in the toolbar, from the Actions menu, and of course, with keyboard shortcuts.

And, because this is a Mac app, and I’m demoing on a Mac, I can use QuickTime to show you what this looks like from a student’s perspective.

So, now on your left, we have Classroom for Mac, and on the right, we have Raheel’s student iPad.

Let’s navigate the students to a website.

I hit Command-G to bring up the Navigate sheet.

Now, I could use my mouse to pick the site to go to here.

I could also use the arrow keys.

Let’s open this great National Geographic kids’ site.

So, all my student iPads are taken to this site.

And, I can even click this link to go to the same site in Safari on my Mac.

Now, while I’m browsing the site, I might find something else I want to share with my students, like this cool Monarch butterfly page.

I can click the Share toolbar item, choose to Share via AirDrop, and in the list my class, and any manual groups I’ve created will show up.

So, I can share this page.

Another thing that I love about having Classroom on the Mac, is that it gives me a great way to keep my students on task.

I can see what apps they’re in by looking at these icons next to their avatars.

And, through these Smart Groups that show what students are in each app.

It looks like Raheel’s getting distracted.

Brooklyn and Ella are still in Safari, but it looks like Raheel’s browsing the App Store.

So, I can use another cool feature of Classroom.

If I double-click on Raheel’s avatar, I can see his iPad screen on my Mac.

And, while I’m looking at a student’s screen, I can perform actions on just that student’s iPad.

So, in the Actions menu, I can choose Open App, and then Safari, and click Open, to bring Raheel back on task.

[ Applause ]

Students can share links and files from their iPads to the teacher, too.

For example, I can share an image from Photos, like this great bear picture I found.

All I have to do is tap the Share button, and then tap Doctor C in AirDrop to share.

When a student shares an item with me, the Inbox button in my toolbar will light up to let me know that there’s something new there.

And, I can click to see a list of shared items.

And, on the Mac, I can tear off this Inbox, and place it next to my Classroom window.

And, this is great, because I can get at the items that my students are sharing with me, while still keeping an eye on the class as a whole.

And, I can double-click to open any shared items.

Well, that’s a great bear photo, Raheel.

I know, right?

It’s unbearably great.


[ Laughter ]

Besides Smart Groups, I can also create groups manually in Classroom.

I’ll hit Command-N to bring up the New Group sheet, enter a group name, and select the students to include.

Manual groups are a great way to get different groups of students started on different tasks.

When I’m done with my class session, I can hit End Class.

That ends my session.

I’m presented with this great Summary view.

I can see all the apps that my students used during class, and for each app, a timeline of when they were in that app.

I also see all the shared items, like the great bear photo.

And, for each student, I get a timeline of all the apps they were in, and when they were in those apps.

So, that’s Classroom for Mac.

We think with drag and drop, keyboard navigation, toolbar items, the menus and the tear off inbox, the teachers are going to love the power and convenience of having Classroom on their Macs.

And, of course, any macOS Mojave app would not be complete without support for Dark Mode.

So, that’s Classroom for Mac.

It’s available in public beta now, and from the App Store this fall.

Thank you.


[ Applause ]

Thank you very much, guys.

Doesn’t Classroom really look great in Dark Mode?

I think teachers are really going to appreciate having it here, on their Macs.

Now, while education has been part of Apple’s DNA from the very beginning of our company, over time we’ve broadened our audience to include the enterprise.

And, in 2018 and beyond, we want to empower people in both schools and businesses around the world to manage all of their Apple devices, from iPad to iPhone to MacBook to Apple TV, as well as all of their apps, whether they’re in the App Store, or custom enterprise apps.

With the same technologies and tools running on whichever OS they choose.

And, that’s why today I’m going to organize the content, first covering all the developments organized by the common features available on all our OS’s.

And then, continue through capabilities specific to one or more OS.

And, just to give you a little bit of a legend ahead of time, you’ll see new badges up in the upper right-hand corner on slides where all of that content is new in our fall releases.

There will also be specific version badges on some slides for things that have already shipped in one or more releases, and if there’s a slide that has some with version badges, and some bullets without, everything without a version badge is new in a fall release.

So, with that, let’s get started.

The first thing is to get your devices enrolled for remote management.

And, schools use Apple School Manager to do that.

Take advantage of the device enrollment program to enroll all of their devices with the correct MDM server.

And, I’d like to bring you up to date on all the changes in Apple School Manager over the past year.

First, I want to call out, is now every student-managed Apple ID comes with 200 gigabytes of iCloud storage.

[ Applause ]


Creating more great content, presentations and documents.

We’ve also made it much easier for schools to create and distribute passwords for those student accounts.

We’ve dramatically modernized and streamlined the experience of purchasing apps and books in bulk, as well as managing those licenses over time.

Being able to transfer them from one content manager to another, both within a location, and to another location, as your needs change.

And then, finally, a big customer request was to enable you to set a default MDM server for a particular device type, making it very easy to manage all of your Macs with one MDM server, and all of your iOS devices with another.

But, we didn’t want to just make all this great experience available to schools, we also wanted to bring it to the enterprise.

And so, I’m pleased to let you know that we have now created Apple Business Manager as well.

It offers the same great features to manage accounts, purchase apps and books, and manage device enrollment, with one important caveat on the accounts.

Apple Business Manager allows you to create accounts for all of your administrators to manage these other features, but it doesn’t not support creating managed Apple ID’s for all of your employees.

It does offer the same, great, integrated apps and books purchasing experience, including the license management features, and all of the new features for managing device enrollment.

And, it should very familiar to anyone who’s ever seen Apple School Manager.

To allow you to create accounts for your administrators, purchase and manage your apps and books licenses, and manage your MDM servers, including default MDM type.

So, until this week, Apple Business Manager has been in a private beta.

But, I’m excited to let you know if you haven’t seen the announcement already, we actually launched the United States yesterday, and our global launch will be in two weeks, on June 20th.

[ Applause ]

We’re very excited about bringing all of this to, this integrated experience to all of our enterprise customers.

So, where and when will all that happen?

Well, today, Apple School Manager is available in 34 countries, and that’s our global launch in two weeks.

But, we didn’t stop there.

I’m very excited to announce that in fact, this summer we’re also going to expand into 31 more countries around the world, bringing us to 65 with support for Apple School Manager and now Apple Business Manager.

We’re also adding book support in Canada and Germany, which currently only support apps.

So, I know the map looks great.

You can kind of see where the expansion was, but I thought it would be much easier to actually see a list of countries, so you can see if your country will now have support for Apple School Manager and Apple Business Manager.

And, one thing I noticed, looking at this list of countries this is a World Cup year that seven of these countries actually have a team in the World Cup, unlike, sadly, my country, United States, but that means I’m in the market for a new team.

So, go Iceland.

[ Laughter ]

I wanted to tell you also about another expansion of one of our deployment program features.

You can add credit to your account via purchase order to allow you then to purchase apps and books later.

Purchasing from either Apple or a reseller.

And, we have just launched last week in 10 new countries in Europe.

Again, here’s the list.

I believe that doubles our access to this program as well.

The next slide is an evergreen topic.

Every year we add new Setup Assistant panes in one or more of our OS’s, and this year is no exception.

And, we continue to want to enable organizations to configure the experience they provide to their users as they set up their devices.

So, in the spring’s release, we added a new privacy pane on all three OS’s.

We also added a new iCloud storage pane for macOS.

And, two new panes for tvOS.

And, in iOS 12, there’ll be new panes configuring some of the new features, some of which you heard about earlier this week.

We want to continue to give you that option to get your users right to the desktop or home screen as quickly as possible.

So, next, I’d like to cover two updates for how MDM servers should handle both enrolling devices, as well as ongoing communication with each of those enrolled devices, starting with Apple Push Notification service.

So, if your MDM solution is still using the Legacy Binary Provider API, we definitely want you to adopt the new, modern, HTTP/2 API, which is far more capable and efficient.

You can read all about it in the Communicating with APNs section of the Networking documentation.

And, since I brought up documentation, I wanted to take a moment here to calm the waters about the MDM and Profile documentation.

The documentation team is going through a publishing tools transition, and the disclaimer that you might have noticed looking at the documentation this week is not an indication of any change in commitment to providing up-to-date documentation for all these technologies.

In fact, the only reason you saw that disclaimer is because we did update both guides on Monday for both the MDM protocol, and the Configuration Profile reference to cover the changes I’m going to talk about today.

So, next topic is security.

There’ll be number of these throughout today’s session.

This is something that Bob talked about last year, that we were going to begin requiring transport security this year.

And, in fact, we’re going to do that in both iOS and macOS this year.

Your SCEP server should make sure to advertise its capabilities, so that we know what the highest level of security you support, and don’t have to fall back to a lower security encryption algorithm.

We stopped supporting DES last year.

Definitely supports one of the modern and much more secure algorithms.

This year, I also wanted to give you a note on how you can verify that your server is ready for this transition as we roll out the new versions of iOS and macOS this year.

You can use NSCurl against each of the URL’s that your server supports, and verify that there are no issues that the diagnostics find.

Now, let’s turn to the new management controls, commands and settings.

And, I’d like to start, again, with everything that’s supported on two or more of our OS’s.

You may have heard about some of the new password features that we’re introducing in this fall’s iOS and macOS releases.

And, of course, we want to enable you to manage them, via profile.

So, the great new automatic strong passwords and AutoFill features within Safari and within apps, we have a new password AutoFill restriction that also covers the existing Safari AutoFill feature and restriction.

We’ve also added a new password sharing restriction that covers all versions of the password sharing feature, including the previous WiFi password sharing.

And, this restriction prevents you from sharing your password with others.

The last bullet on the slide, password proximity requests.

This restriction actually is supported on tvOS as well, because this feature, or this restriction, prevents your device asking others for their password.

And, if you didn’t attend, you can check out the video of the password and AutoFill session which occurred earlier this week.

We added a new restriction to prevent users from modifying the Bluetooth restriction last fall.

And, in the spring, we added a new MDM command to actually be able to set the value of that setting.

And, I’m even more pleased to let you know that it’s not in Seed 1, but I saw the change go in yesterday, that this command will now work even if you have that restriction in place.

And, we think this will be great for schools deploying Classroom, and in other situations where you want to make sure that Bluetooth is enabled, or disabled, as the case may be.

Big customer request, we have enabled OAuth authentication for exchange accounts configured via profile.

That’s in iOS 12, and in macOS Mojave.

And, a really big one, managed software updates that we brought to both OS’s this spring.

Thank you.

One person’s excited about that.

And when I talked just because I’m excited about it, talk a little bit more in detail.

It consists of two different restrictions, one to enable the feature in the first place, to put the device so that it will delay when the user will see a new update once we release it.

And, an optional parameter that you can configure the delay period from 1 day to up to 90 days.

If you don’t specify that setting, it defaults to 30 days.

The scheduleOSUpdate command has been supported on both platforms for a long time, and on macOS, it’s always allowed you to specify which update you actually wanted to install on that Mac.

But, in iOS 12 I’m sorry, this spring, in iOS, we added the ability to specify a version number for just the iOS version that you have tested with all the software important for your organization’s devices.

Wq also added a new Apple software lookup service, so that your MDM server can look up the eligible versions for a particular device at a particular time.

And, we have documented that API to look that up, so that your MDM solution can populate the UI presented to the admin.

It’s in the MDM protocol guide.

Alright. And, that brings us to the end of our common section.

And now, I’d like to talk about some iOS-specific changes.

Again, starting with security.

Now, some of you may have heard about this change that we started to make in iOS 11.3, and now it’s back in 11.4.1, and iOS 12.

And, of course, we wanted to make this manageable as well, beyond the switch that’s in the UI in iOS 12.

So, there’s a new restriction that allows you to control this feature, and whether USB accessories can still connect devices if they’re locked.

And, of course, Configurator kind of relies on devices being able to connect via USB, so we have implemented a special behavior for those devices.

When Configurator prepares a device to supervise it, but not enroll it in MDM, it will automatically install a profile that installs this restriction, and allows those devices to continue connecting to the Mac running Configurator.

Alright. Another topic which is not new, we’ve talked about it for a number of years, last year Prodop [assumed spelling] told you that we are going to start honoring the certain set of restrictions which were created before supervision existed, but really should only be honored on supervised devices.

I want to make clear that these restrictions are not going away.

They’re still going to be usable, but they will only be honored on supervised devices.

But, after hearing your feedback, we decided to delay one more year, and we’ll make this change next year to help make a smooth transition.

And, we’ve also come up with an upgrade and migration policy that we think will further smooth this transition.

Essentially, if a device which is not supervised has one or more of these restrictions in place, they will continue to be honored even after upgrading to the iOS version that includes this change until they’re wiped.

So, we’ll remember, and we’ll continue to allow you to use them until that device is wiped, allowing you to time your refresh more conveniently.

Of course, any new device configured, or if you wipe the device and restore from a backup, they will get the new behavior, where each of these restrictions is only honored if the device is supervised.

But, of course, if you’re wiping a device, that’s a great opportunity to go ahead and supervise it before you configure it again.

Just to refresh your memory, this is the list with one minor change that we took advantage of the fact that we’re giving you one more year.

That in fact, the three Siri restrictions should also only be honored on supervised devices, so this is the list, and we really mean it this time.

We’re going to do it next year.

Be prepared.

Alright. Managed Open In, it’s a great feature, most more used in enterprises, and we’ve made a number of improvements, both in iOS 11.3, and iOS 12, to make sure that the boundary we’ve established between managed apps and unmanaged apps and sharing files and data between them is behaves the way everyone would expect.

This included making the context API respect the boundary in iOS 11.3.

Which of course was exactly what many customers wanted, but we know that that did have some challenges for some organizations that were deploying in a specific way.

And, I’d just like to make clear, that if you are using Managed Open In, and want a managed app to manage Contacts, you need to deploy that managed Contacts source as a managed source.

Alright. Now, let’s turn to some of the new settings we’ve been adding in this year’s software releases.

A bunch of things we added in iOS 11.3.

I already mentioned allow USB accessories while device is locked restriction, completing our set of restrictions to allow you to get classroom behavior on a supervised device, even if it’s a teacher-created class.

We’ll talk a little bit more about the remote pairing later on in the tvOS section.

And, that last one I really wanted to mention, because this is, again, another long-standing customer request, that both schools and businesses love the Home Screen layout payload, but they were also using WebClips.

And now, in iOS 11.3, you can use WebClips in Home Screen layout payload.

[ Applause ]

Thank you very much.

Moving on to the changes in iOS 12.

Added a couple of new notification types to the Notifications payload.

And, another big customer request, we had a lot of schools in particular that wanted to prevent students from changing the date and time, and there’s a new restriction that essentially turns on set date and time automatically on supervised devices.

Now, this feature will, of course, only work if we can reach the time server, or a cell tower, or location services is enabled.

But, with that caveat, we think this is going to meet the need.

We’ve also made a lot of improvements to how S/MIME is managed for Mail and Exchange accounts configured via profile.

Giving users more flexibility about when to sign and encrypt, as well as an important changes to allow them to update the certificates that they’re using for either feature.

Even when their account has been configured via profile.

We also took the opportunity to rename a number of keys to clarify the purpose.

Of course, the existing keys are still honored for now.

But, please check the documentation and update your implementations.

There’s also a number of new settings in the VPN payload for configuring IKEv2 connections, managing your DNS server settings.

And, one important option that we added to the Erase Device command.

Allows you to skip proximity set up on your way back through Setup Assistant, further configuring the device enrollment experience for an end user.

This is really important for deployments for guests that are using your devices, and if you’re using device enrollment to provide a fresh experience for each new guest using that particular iPad or other device.

Thank you, Eric.

And, finally, due to macOS server deprecation, we have removed support for the macOS server account payload in iOS 12.

If you’re still using some of those services as you’re transitioning to a new solution, you can replace those account configurations with normal account payloads.

Next, I’d like to give you a few tips on troubleshooting issues with delivering and executing MDM commands on enrolled iOS devices.

There are a number of logging profiles which you can obtain at the link at the bottom of the screen.

And, all of the URL’s are going to be available at the More Information link, which will be at the end of the session, so you don’t have to feverishly copy those down.

Depending on what type of a problem you’re investigation, you can install either both the MDM and/or the Apple Push Notification service profiles.

Once you’ve reproduced the problem, you can get those logs using Console or Apple Configurator 2.

And then, look through the logs by process, depending on what kind of a problem you’re investigating.

Whether you’re looking at communication, or connection issues.

Installing profiles or apps, or working with Shared iPad.

Now, next I’d like to turn to cover some topics that are a particular interest to app developers, who would like to sell their apps to schools and businesses.

Or, as I like to call it in honor of the biggest fan of initial iPhone, say it with me, the developers, developers, developers section.

I’ll first cover some topics specific to education apps, before continuing with some topics for enterprise apps.

At our education event in Chicago in March, we announced a brand-new app for teachers called Schoolwork.

Schoolwork allows teachers to easily share content with their students, leveraging the power of your apps.

And then, they can view student progress across all of their work within those great apps.

Helping them to tailor instruction to the needs of each of their students.

And, also allowing them to collaborate and provide instant feedback on what their students are learning quickly, and where they might need a bit more support.

Now, all of this is based upon a new framework called ClassKit.

And, that’s where you come in.

Apps which adopt ClassKit integrate with Schoolwork in order to help teachers discover assignable activities within your app, to take students directly to the right activity for what they’re supposed to be working on.

And, most importantly to securely and privately share that progress data as they work through those tasks with their teachers.

Now, they had a session yesterday, and I encourage you to watch their video.

Alright. While I have, hopefully, your attention, I’ll, you know MDM developers are developers too, so this is really more for them.

But, I wanted to make sure I kept their attention.

They didn’t start tuning me out.

So, the Roster API is how MDM servers can get class information from Apple School Manager.

And, we have had this class name field for a while.

And, we want to encourage you to use that as a display name in your MDM console, as well as what you pass along to Classroom via the education payload, the configure managed classes.

This is because Schoolwork is using that field, and we’d like to achieve a consistent experience for teachers using both apps.

The reason you might not be already doing this, is because of class name’s history.

Before January, it was there in the API, but we actually didn’t return a value.

In January, we began returning a value that was derived using logic in Apple School Manager.

But, this month, we’re going to start allowing administrators to configure that name based on how the school names their classes, and what the teacher will expect right within Apple School Manager.

So, again, if you’re not currently using that to configure the education payload for Classroom, please start, so we can achieve that great experience for teachers.

Want to, again, remind you about shared iPad.

If you want your app to be used in Shared iPad, need to make sure that it doesn’t depend on any data being available locally on a new device.

When a student moves, and signs into a new Shared iPad.

Persist all of the app data to the cloud, whether that’s our cloud, or your cloud.

And, while we’d, of course, prefer that you test your app on a real Shared iPad, you can simulate this by deleting all the local data, and then making sure that your app still works well.

Also like to encourage you to adopt managed app configuration.

There are thousands of developers who have, and have created a number of shared schemas that can make it your app much more friendly to education and enterprise, by enabling them to create a customized experience for their employees or students, to customize the look of the app, or to prepare some custom data to warm up the app so they get the right experience at first launch.

Here’s the URL for the site to learn all about it.

Again, that will be available on the More Information page later on.

We also have a number of great enterprise partners, who’ve provided SDK’s to make the power of their services available to your apps.

From IBM’s Watson to allow you to do machine-learning models, and we have great pages on our developer.apple.com website.

They’re really hard to figure out, because they’re slash and then the company name.

But, I encourage you to check those out, and see what you can do within your apps.

And, finally if your app depends on network performance, for some time now, we’ve enabled you to configure that with profiles for enterprise apps and MDM solutions.

But, this year we’ve added a number of new quality of service keys to allow you to fine-tune it even further.

Encourage you to check out the networking session, if your app is sensitive to network performance, to find out how you can achieve the best performance on our platforms.

And, that brings us to the end of our iOS-specific section.

So, following the pattern established by this week’s keynote, let’s turn next to tvOS.

Now, with tvOS, we, over the past number of years and releases have been playing a little bit of catch up and adding some of the great features for device management that we had previously had for iOS and macOS.

And, I’m very pleased to let you know that we continued to do that this year.

This spring, adding the ability to configure content restrictions, just like you can on iOS and macOS.

And, enabling you to lock down which app, or which devices, can use the Remote app to manage a particular Apple TV.

This is great in the classroom, so that the teacher can just have the Remote app on her phone, and you cannot need a physical remote in the classroom.

No student would ever get up to no good with one of those.

And, perhaps, even more important, some great key features of the device management experience.

Being able to install App Store apps on Apple TV.

Thank you.

[ Applause ]

And, being able to update to the latest version of tvOS via MDM command, just like another Apple device.

[ Applause ]

Thank you.

And, we think that combining these new features with some of the features that we’ve added over the past few releases, you can do some amazing things with Apple TV, on its own, and in combination with other Apple devices.

Provide new experiences to your guests.

So, to illustrate the possibilities, I’d like to welcome you to the entirely fictional Hotel Cupertino.

Such a lovely place.

Where each enrolled Apple TV is programmed to receive commands from the hotel’s MDM server.

For example, including updating to the latest version of tvOS.

And, installing a custom enterprise app to allow your guests to manage their experience, including ordering of room service, when they get a hankering for pink champagne on ice, or informing them about options for exploring the area.

You can also provide your guests with great entertainment options, when they’re actually spending time in your room, by installing App Store apps.

And, this is the time when I would love to share a clip of my favorite show, Game of Thrones, with you, but we don’t have time for that right now.

So, assuming your guests actually ever leave the room, and take some photos, they can of course, use AirPlay to share those photos, and display them on the big screen in the room you’ve provided to them.

So, this is just one example of what can now be done with Apple TV by managing it remotely.

But, of course, there are many other types of businesses that could take advantage of these capabilities to provide amazing experiences to their guests, including integration with the Apple devices they’re already bringing with them.

We look forward to seeing the fruits of your creativity, even if it doesn’t involve dragons.

So, that brings us to the end of our tvOS section.

And, last but not least, macOS, just like in the keynote.

So, let’s start right at the beginning, installing macOS.

And, I’d like to make everyone aware of the great new command added to the macOS installer this spring, called startosinstall.

If you’re installing from and to your computer startup disk, you can use this command.

And, it supports all the latest Mac hardware.

It also includes some great features that allow you to install packages on top of the freshly installed macOS.

And, an option to start fresh, and erase that partition before you install the new version of macOS.

Of course, once you’ve installed the OS, you want to get enrolled for remote management.

And, we received some feedback from some of our enterprise partners in particular, that they really prefer the iOS experience, and felt it was more user friendly.

So, we’re going to take that feedback, and simplify, and make the macOS MDM enrollment experience match iOS.

It’s not in Seed 1, but you will see it soon in macOS Mojave.

I told you there were more security topics.

Here’s another one.

We want to strongly encourage our MDM partners to take advantage of this new capability to make enterprise app manifest delivery more secure.

The transition is easy because we’re continuing to support the existing installApplication MDM command to install enterprise apps, but we really want you to switch to one of the new methods using the new installEnterpriseApplication command as soon as possible.

There’re two options.

You can either specify the manifest right within the command, inline.

Or, you can specify certs that we’ll use later to pin our request to fetch the manifest.

Please read up about this, and make the switch as soon as you can.

Now, this is not actually a change so much, because none of these six payloads ever worked to install in a system profile.

But because they only make sense in a user context.

But, next year, we’re going to start treating installing any of these payloads in a system profile as a hard failure.

So, you have some time to prepare for that, and make sure you’re not already doing that.

Now, let’s talk about some of the new things we’ve added in this year’s macOS releases.

Big customer request, you can now mark generated private keys as not exportable, so the user can’t get access to them on their Mac.

We added content caching last fall in macOS High Sierra.

And now, you can configure it via profile.

And, we’ve added a number of new controls for managing how smart cards are used on your organization’s Macs.

Thank you.

Smart cards.

Last fall, we introduced a new concept for enrollments on Macs called user-approved MDM.

And, this is to protect features that should really only be available on an organization-owned Mac, and be tied to affirmative consent from a user or an admin, and not configured via rogue script.

The first example was the kernel extension permissions.

And, we introduced this in 10.13.2, although user-approved MDM enrollments was not actually required until 10.13.4.

There will be more security features that will fall into this group.

So, this is something that’s going to be with us, and in fact, next thing I want to talk about also requires user-approved MDM.

And, that’s the additional support we made for testing apps for high stakes testing apps on the Mac, so they can achieve the controlled environment that they require.

That support requires both an entitlement, as well as a Mac which has a user-approved enrollment.

And, just like for iOS and tvOS, I’d like to give you some tips on troubleshooting issues with communicating with enrolled devices.

Similarly, you can install the right logging profile for a managed client, or again, Apple Push Notification service.

Get the logs using Console, and it’s a lot simpler you can just filter for the Managed Client process on the Mac.

But, I also wanted to highlight the profile’s command line tool.

It’s a Mac, we’re got Terminal.

You can, of course, use it to install and remove profiles, but it also has some great features for verifying your deployment.

The first we added this spring, allows you to verify whether the enrollment is user-approved, with the profile status command.

And, new in macOS Mojave, there’s a validate command that allows you to confirm, or tells you any differences between the device enrollment profile in the cloud, and what’s actually configured on the device at that moment.

So that you can more easily detect when your change that you know you’ve already made in the cloud hasn’t been reflected on the Mac yet, or the device has become unconfigured.

So, that brings us to the end of our content for today.

And, I’d like to quickly sum up some of the takeaways for the different groups, and different audiences for this talk.

Administrators, we hope you love having access in more places for Apple School Manager, and now Apple Business Manager to manage all of your organization’s accounts, devices, and apps and books.

Take advantage of all those new device management capabilities that we’ve talked about today.

And, prepare for the security changes that will impact your deployments.

For MDM developers, of course, we need you to support all these new features, because the administrators won’t be able to take advantage of them until you do, in the solution that they’ve already paid you for.

Please get on adoption of those security features to help us make sure that we are keeping the communication between enrolled devices and your product as securely as possible.

And, finally, app developers.

Take advantage of all these great technologies that we’ve made available to you on our OS’s from ClassKit and Shared iPad for schools, to managed app configuration for all kinds of apps, and then the enterprise features for enterprise apps.

We have a number of labs, one later today after lunch.

And then, tomorrow morning.

And, if you’d like to learn more about the new password and AutoFill features, they also have a lab tomorrow afternoon.

And, with that, I’ll thank you for your attention, and hope you enjoy the rest of the show.

Thank you very much.

[ Applause ]

Apple, Inc. AAPL
1 Infinite Loop Cupertino CA 95014 US