iOS 13 and macOS Catalina: Enterprise Preview

Wait, no, don’t close the tab! Don’t you do it! Yes, it’s enterprise. I know. But, just hold on a hot damn second. These new features for iOS 13, iPadOS, and macOS Catalina in enterprise are cool. Mostly because I kinda love what they just might be hinting at for the future of all of Apple’s operating systems… and for all of us.

Security

I’m going to break this into three parts. Well, two parts actually since the first part, security, I covered already in my hour-long macOS Catalina video.

That includes read-only system volumes, kernel extensions, DriverKit, Gatekeeper that doesn’t just check for malware on first launch but every launch, notarization, and a bunch of new privacy permissions.

I won’t waste your time repeating it, so just check out the link in the description for all the details.

Management

The second part, management, is where it starts to get cool. Now, Apple’s offered device enrollment for a while. That’s where a company uses a mobile device management or MDM system to basically control a device, decide what you can and can’t do with it, and own it from passcode creation to full deletion.

Previously, Apple added automated device enrollment. The idea was zero-touch. For example, a company purchased iPhone could be shipped to an employee, still all wrapped up, and that employee could open it up, and it’d be ready to go, no IT worker with cable, or hands-on config needed. And from there, the company could manage it as needed.

And it’s great, for company-owned iPhones. Apple will now even let automated enrollment deliver custom branding, content, and consent text, and authentication tied into cloud identify providers.

But, BYOD — bring your own device — has been a thing for over a decade now. That’s where a company either allows employees the freedom to buy any device they want to use, or just saves money by making them buy their own devices, or both.

The thing is, if you buy it, you own it, and your company shouldn’t have complete control over it anymore.

At least, that’s where Apple is drawing the line when it comes to control — whoever bought it, gets it.

And that brings us to the latest feature: User enrollment.

The best way to describe it is that it’s your device and your stuff is your stuff, but it allows your company to give you some of their stuff and manage just their stuff that they give you.

You download an enrollment profile, launch settings, tap Enroll, and then sign in with the managed Apple ID your company gives you. More on that in a bit.

Once it’s enrolled, the company gets its own, unique identifier for the device that persists only as long as the enrollment. They can configure accounts, per-app VPN, and apps that the company installs. They can require a passcode and set up some restrictions.

What they can’t do is get any other identifiers for the device, like the serial number, UDID, or IMEI, require a complex, alphanumeric passcode, take offer the management of any app the user installed, remotely wipe the device, access any cellular features, add anything that collects log information, or add any supervised restrictions.

Again, Apple is drawing the line on who owns the device. If the company makes you buy it or bring it, it’s yours, not theirs, and they can’t take complete control over it. That rests with you.

To make this work, User enrollment creates a separate APS volume for the managed accounts, apps, and data. It’s cryptographically separated from the rest of the device and its not backed up to the user’s iCloud account.

Notes, Files, third-party apps, and Keychain, are completely separated. Mail and calendar are partially separated. For mail, previews and metadata remain on the user volume, as do events for the calendar.

When and if you unenroll it, the separate volume and its encryption keys are destroyed, and any apps, accounts, and configurations pushed down by the company are removed.

Identity

The third part of all this is Identity. User enrollment is integrated with Managed Apple IDs, which can be created by Apple School Manager for education and, Apple Business Manager for enterprise. They can also be federated with Microsoft Azure Active Directory.

Managed Apple IDs provide access to iCloud Notes, iCloud Drive, iCloud Contacts and Calendar, and other services.

And, for user enrollment, the personal Apple ID is associated with all your personal content and the managed Apple ID, with anything and everything pushed down by the company.

What’s more, there’ s a new single sign-on extension for native apps and the web so you don’t have to create, manage, and remember separate, unique, long, strong passwords for every app and service.

It’s used by identify providers and configured by the MDM, so once you log in, that log in just works for all your company apps and services, iCloud Keychain, per-app VPN, multi-factor authentication, and notifications.

There’s even a Kerberos extension to authenticate for web sites and Active Directory services.

Taken together, it should let everything co-exist peacefully, privately, and securely, all on one device, without the overhead of having to deal with separate environments.

It’s a clever implementation but I’ll leave it to all you IT pros out there to let me know how it works for you in the comments.

Leave a Reply

Your email address will not be published.