© 2016 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.

Distribution #WWDC16

Session 303

What’s New in Apple Device Management

Todd Fernandez Senior Manager, Device Management & Server

WWDC 2016

Back To School

Configure

Devices

Order

DevicesBuy

Apps

Evaluate Tools

iOS 9.3

Spring 2016

Spring 2016

Apple School Manager

“Apple School Manager will save our tech staff lots of time—we can manage devices, content, and our student accounts all from one place.”

Patrick ScanlanSupervisor of Technology & Information ServicesSan Jose Unified School District

Shared iPad

“Shared iPad will allow our district to transform a cart of shared devices intoa personalized learning experience for each student.”

Eric CulpepperTechnology Support SpecialistGoose Creek CISD

Classroom

“Classroom has been an extremely useful tool throughout the school day … to enhance the Project Based Learning that is going on in my classroom. Classroom helps me to keep all my students accountable for their work, while also keeping them extremely engaged in their assignments.”

Ryan Garcia-GananFourth Grade TeacherSan Jose Unified School District

Spring 2016

Getting Started Distribution ToolsManagement

Getting Started

Getting Started

Apple deployment programsApple School ManagerManaged Apple IDEnrollmentShared iPad

EnterpriseGetting Started

Apple deployment programsDevice Enrollment Program (DEP)Volume Purchase Program (VPP)Many new settings and commands

Apple School ManagerGetting Started

PeopleDevicesContent

PeopleApple School Manager

Input• SIS integration• CSV upload

Managed Apple ID• Students• Teachers

Classes

Managed Apple IDApple School Manager

Admin accounts• Tiered administration• Roles and privileges

Student accounts• Required for Shared iPad• Passcode options• Disabled services

- Commerce, FaceTime, iMessage, iCloud Mail, …

APIApple School Manager

Roster ServiceUsers• Students• Teachers

Classes

API: TransitionApple School Manager

Check during syncs if token is now ASM type (API v3)Tell DEP you support API v3 by including in header

Customers do not need to download new tokens

API: Best practicesApple School Manager

Handle duplicate records from multiple sources (e.g., LDAP + API)• Allow admin to configure automatic policy

matching criteria• Allow admin to manually merge records

source_system_identifier corresponds to CSV “PersonNumber”• Field is mutable and not guaranteed to be

unique!

API: Best practicesApple School Manager

No delta API• SIS syncing only once per day• Don't automatically perform “full sync” more

than once per day• Consider throttling admin-initiated syncs

DevicesApple School Manager

Device Enrollment Program• Find purchases• Configure MDM servers• Assign devices to MDM servers

ContentApple School Manager

Volume Purchase ProgramiTunes U

Enrollment optimizationSecurity best practicesConfigure Setup AssistantMDMServiceConfigShared iPad

EnrollmentGetting Started

Enrollment optimizationEnrollment

Enrollment optimizationEnrollment

MDM Server

Device Enrollment Program

iOS Device or Mac

Enrollment optimizationEnrollment

MDM Server

Device Enrollment Program

iOS Device or Mac

await_device_configured

1 DEP Settings

Enrollment optimizationEnrollment

MDM Server

Device Enrollment Program

iOS Device or Mac

await_device_configured

1 2DEP Settings

Enrollment optimizationEnrollment

MDM Server

Device Enrollment Program

iOS Device or Mac

await_device_configured

1 2DEP Settings

TokenUpdate (AwaitingConfiguration)

3

Enrollment optimizationEnrollment

MDM Server

Device Enrollment Program

iOS Device or Mac

await_device_configured

1 2DEP Settings

CommandsConfiguration Profiles 4

TokenUpdate (AwaitingConfiguration)

3

Enrollment optimizationEnrollment

MDM Server

Device Enrollment Program

iOS Device or Mac

Exit Setup Assistant

await_device_configured

1 2DEP Settings

CommandsConfiguration Profiles 4

DeviceConfigured 5

TokenUpdate (AwaitingConfiguration)

3

Enrollment optimization: Shared iPadEnrollment

Enrollment optimization: Shared iPadEnrollment

MDM Server Shared iPad

Enrollment optimization: Shared iPadEnrollment

MDM Server Shared iPad

1

User signs in

Enrollment optimization: Shared iPadEnrollment

MDM Server Shared iPad

1

2

User signs in

TokenUpdate

Enrollment optimization: Shared iPadEnrollment

MDM Server Shared iPad

1

2

User signs in

3Commands

Configuration Profiles TokenUpdate

Security best practicesEnrollment

iOS 9.3.2 no longer supports MD5DES deprecatediOS 10 adds AES support

SCEP servers need to support 3DES orAES as soon as possible

Configure Setup AssistantEnrollment

True Tone

Configure Setup AssistantEnrollment

Siri iCloud Desktop

NEW

Equivalent to VPP Storebag from iTunes StoreInforms tools what info they can obtain from your serverUnauthenticated HTTPS request at URI MDMServiceConfigUTF8 JSON-encoded hash• dep_enrollment_url • dep_anchor_certs_url • trust_profile_url

MDMServiceConfigDevice Enrollment Program

Equivalent to VPP Storebag from iTunes StoreInforms tools what info they can obtain from your serverUnauthenticated HTTPS request at URI MDMServiceConfigUTF8 JSON-encoded hash• dep_enrollment_url • dep_anchor_certs_url • trust_profile_url

Profile Manager has implementedConfigurator 2 now supports

MDMServiceConfigDevice Enrollment Program

Shared iPad

Shared iPad

Support multiple usersInstall appsPreserve user data

Multiple usersShared iPad

Requires Managed Apple ID to sign inSigns in to iCloud and iTunes

Installing appsShared iPad

Device assignedMDM vendors use PurchaseMethod 1All app types supported• App Store developers must allow device assignment

ArchitectureShared iPad

Student data truth in the cloud• Data is cached, but may be purged when needed• User data separation• Data will continue to upload after sign out if necessary

Apps should be education ready

Uploading Mia’s Data

Uploading Mia’s Data

Uploading Mia’s Data

Uploading Mia’s Data

Uploading Mia’s Data

Uploading Mia’s Data

Downloading Gabriel’s Data

Uploading Mia’s Data

Support in MDM serversShared iPad

New DEP setting to enableUse Enrollment Optimization to set options beforestudent use• User quota• Lock screen grace period

User quotaShared iPad

User quotaShared iPad

Maximum numbers of users cached locally

User quotaShared iPad

Maximum numbers of users cached locallyStorage allocated to each user calculated automatically

User quotaShared iPad

Maximum numbers of users cached locallyStorage allocated to each user calculated automatically

User quotaShared iPad

Maximum numbers of users cached locallyStorage allocated to each user calculated automaticallyAfter limit reached, new user purges the cache of the LRU user

Maximum numbers of users cached locallyStorage allocated to each user calculated automaticallyAfter limit reached, new user purges the cache of the LRU user

User quotaShared iPad

Maximum numbers of users cached locallyStorage allocated to each user calculated automaticallyAfter limit reached, new user purges the cache of the LRU user

User quotaShared iPad

Lock screen grace periodShared iPad

Time after screen locks that devicewill prompt for user passcodeBefore time limit reached, student canwake device with just a swipe

User channelShared iPad

Allows MDM server to configure per-user settings• Similar to macOS• iOS devices running 9.3 and later don’t ignore it• Some payloads now supported

No user authentication on iOS• Never send sensitive information over user channel

- User channel enforces no credentials- Google OAuth supported, but without credentials

User channel: Supported payloadsShared iPad

Accounts, including Google OAuth accountNotificationsHome screen layoutManaged Domains: Safari autofill domainsRestrictions, including Show/Hide Apps

User channel: Restrictions payloadsShared iPad

Most restrictive winsCombined to compute effective restrictions• Just like multiple profiles

DemoShared iPad

David SteinbergDevice Management Engineer

Shared iPadDemo Recap

Classes preconfigured on login screenRecent usersSign in with Managed Apple ID and passcodeSign in choosing recent userApps show only current user’s dataDifferent users see different apps and home screen layout

Getting Started Distribution ToolsManagement

Distribution

Distribution

Managed Apple IDBooks for Shared iPadEnterprise Apps

Managed Apple ID associationVPP

Programmatically associate Managed Apple IDs for VPP

Requires DEP/ASM token and VPP tokens from same organization• Customer doesn’t need new tokens after transition to ASM• DEP and VPP use different tokens so could be different organizations

- Dedicated error code for this failure mode; try and fail

Requires MDM solution adopt APIImportant for iBooks Store books

Books for Shared iPadVPP

iBooks Store VPP books• Assigned to users• Cannot be distributed to devices• Shared iPad user must “download” in iBooks

- Downloaded only once per device

Non-iBooks Store books• PDF, IBA, EPUB• Device assigned

UPPsEnterprise Apps

Allow non-App Store app to run on device not defined in provisioning profileRequire trust and validationUser must explicitly trust apps from that signer to run on this device• Apps installed via MDM implicitly trusted

Apple must consider this UPP still valid• Periodic checks via online connection to validation server• MDM installed apps still require periodic validation• MDM can trigger validation for any app• Automatically validate any applications that it discovers are not validated

Getting Started Distribution ToolsManagement

Management

Management

Shubham KediaiOS Engineer

MDM commands and queriesWhat’s New in iOS 9.3

Settings now allows setting max users, diagnostic submission

User ListLogout userDelete User

MDM Lost Mode (including device location)MDM Activation Lock

Configuration profile payloadsWhat’s New in iOS 9.3

EducationNotificationsHome Screen LayoutLock Screen Message

Exchange, Mail: Allow Mail DropManaged Domains: Safari autofill passwordsVPN: Many new IKEv2 settingsRestrictions: Many new settings

Configuration profile payloads: RestrictionsWhat’s New in iOS 9.3

Apple MusicClassroom Screen ViewiCloud Photo LibraryiTunes RadioModify NotificationsShow/Hide Apps

Configuration profile payloads: EducationWhat’s New in iOS 9.3

StudentsTeachersClassesPhotos• URLs• Get required HTTPS

Used by Shared iPad login screen and ClassroomOnly one allowed per deviceStudent devices and teacher devices need different payloads

Configuration profile payloads: Per-user on Shared iPadWhat’s New in iOS 9.3

Five payloads can now apply per-user on Shared iPadAccounts• Google OAuth account

NotificationsHome screen layoutManaged Domains: Safari autofill domainsRestrictions• Show/Hide Apps

MDM commands and queriesWhat’s New in iOS 9.3.2

Enable/Disable App AnalyticsSet lock screen grace period

DeviceInformation returns App Analytics enabled/disabledSecurityInfo returns lock screen grace period

Automatic Assessment ConfigurationWhat’s New in iOS 9.3.2

Continues to work same way on supervised devicesNew entitlementAPI then disables five features while app is running:• Auto correction, Define, keyboard shortcuts, predictive keyboard, spell check

Safe escape behavior on unmanaged devices

Configuration profile restrictionsWhat’s New in iOS 9.3.2

Modify diagnostics submission

Configuration profile payloadsWhat’s New in iOS 10

Contacts, Exchange, Google, LDAP: Communication service rules for audioLock Screen Message: Updated key namesVPN: IKEv2 EAP only authentication method, timeout for IPSecVPN: PPTP has been removed from iOS 10• Existing payloads will not work

Wi-Fi: Captive bypassWi-Fi: Cisco fast lane QoS markingRestrictions: Modify Bluetooth

NEW

Configuration profile restrictionsDeprecations

App installationApp removalFaceTimeSafariiTunesExplicit contentiCloud documents and dataMultiplayer gamingAdd GameCenter Friends

Configuration profile restrictionsDeprecations

App installationApp removalFaceTimeSafariiTunesExplicit contentiCloud documents and dataMultiplayer gamingAdd GameCenter Friends

MDM commands and queriesWhat’s New in OS X 10.11.4

Install major update (DEP Macs)

Configuration profile payloadsWhat’s New in macOS Sierra

IP firewallRestrictions• Apple Music• iCloud keychain sync• iCloud Photo Library• Back to my Mac• Find My Mac• Sharing to Notes, Reminders, or LinkedIn

NEW

Getting Started Distribution ToolsManagement

Tools

Classroom

Assign Shared iPadLaunch appNavigate to locationAirPlay to Apple TVLock iPadView screen

DemoClassroom

Shruti GuptaDevice Management Engineer

ClassroomDemo Recap

Open appCreate and edit groupsLock to appView screenLock device

DEP and VPP SimulatorsTools

Simulate DEP and VPP servicesTest handling of service errors

Now supports all the new DEP and VPP features

Available for download on developer portalSupport new features

Getting Started Distribution ToolsManagement

AdministratorsSummary

Use Apple School Manager to manage people, devices, contentUse DEP (wireless) or Configurator (wired) to enroll devices in MDMUse Shared iPad with Managed Apple ID on shared devicesUse VPP Managed Distribution to distribute apps to devices or users

MDM developersSummary

Support VPP Managed Apple ID associationSupport new features in iOS 10 and macOS Sierra• Documentation available now

Test with DEP and VPP simulators

App developersSummary

Store data and preferences in cloudTest using app with two iPads

Related Sessions

Best Practices for Building Apps Used in Business and Education Nob Hill Wednesday 1:40PM

Labs

Education and Enterprise Deploymentand Development Lab

Graphics, Games, and Media Lab C Tuesday 1:30PM

Education and Enterprise Deploymentand Development Lab Fort Mason Wednesday 3:00PM

Education and Enterprise Deploymentand Development Lab Fort Mason Thursday 11:00AM

apple.com/education

apple.com/educationResources for Education

apple.com/education

developer.apple.com/enterpriseResources for Enterprise

developer.apple.com/enterprise

More Information

https://developer.apple.com/wwdc16/303