WWDC Quick Look 💓 By SwiftGGTeam
Deploy Apple devices using zero-touch

Deploy Apple devices using zero-touch

Watch original video

Highlight

Apple demonstrated an internal zero-touch deployment process: the device is sent directly from the supply chain to employees, and when it is powered on for the first time, registration, application distribution and security configuration are automatically completed through Apple Business Manager, MDM and APNs.

Core Content

In the past, when a company computer was issued, IT often had to unbox it, install the system, make an image, create an account, install software, and then hand the machine over to employees. When remote work suddenly expands, this process will become a bottleneck: devices are queued up in IT hands, employees are waiting for machines at home, and it is difficult for security policies to fall on the devices in the first place.

Apple talks about its own practices in this session. After a device is purchased, the serial number, purchase order, and purchase date enter Apple Business Manager through the reseller process. Organizations assign devices to a default MDM server, enter Setup Assistant when the device first boots, and then receive initial management configuration during activation and enrollment.

The goal of this process is straightforward: Devices can be shipped directly from the supply chain to employees’ homes. Users only need to complete the necessary settings, and security items such as enterprise applications, Wi-Fi, VPN, email calendar, and FileVault are pushed by MDM. The internal scale Apple gave in its presentation was 20,000 devices per MDM administrator.

During the epidemic, this capability became a real business continuity tool. Apple ships new Macs directly to employees who cannot take away their office equipment, and employees can resume work through zero-touch registration after turning on the machines. Without this process, IT would need to be provisioned on a machine-by-machine basis, and affected employees would be down for longer periods of time.

Detailed Content

(03:32) Zero-touch deployment starts with procurement. The dealer sends the device record to Apple Business Manager, which contains serial number, purchase order, purchase date and other information. Apple Business Manager puts the device into the organization account based on the Reseller ID, and then assigns it to the MDM server according to the organization’s default target.

purchase from reseller
  -> reseller sends device details to Apple Business Manager
  -> Apple Business Manager assigns device to the organization's MDM target
  -> Setup Assistant starts enrollment on first boot
  -> MDM applies pre-stage profiles and management settings

Key points:

  • purchase from resellerIt is a link entry, and device information does not require IT to manually enter each machine.
  • Apple Business Manager assigns deviceLet organizations decide which MDM environment a device belongs to before an employee even turns it on.
  • Setup Assistant starts enrollmentBy placing the registration action in the first startup process, users do not need to install additional management tools.
  • MDM applies pre-stage profilesCorresponding to the preset configuration in the lecture, the initial configuration will be issued during device setup.

2. APNs and proxy network

(05:40) The speech mentioned that starting from macOS 10.15.4 and iOS 13.4, APNs supports proxy configuration. This is critical for enterprise networks that deny outbound traffic by default because management communication between MDM and devices relies on the Apple Push Notification service (APNs).

PAC file specifies web proxy
  -> APNs traffic uses the proxy
  -> MDM can reach devices on proxy-enabled networks
  -> APNs payload remains encrypted and cannot be inspected

Key points:

  • PAC file specifies web proxyDescription Agent discovery can come from agent autoconfiguration files.
  • APNs traffic uses the proxyIt is the new network capability mentioned this time, which facilitates the managed network to release management traffic.
  • MDM can reach devicesSolve the problem that MDM commands cannot stably reach the device in a network that is rejected by default.
  • payload remains encryptedThe security boundary of APNs communication is preserved, and network devices cannot inspect the data.

3. What steps should be left in Setup Assistant?

(09:31) Zero-touch deployment does not mean leaving all choices to the system. Apple’s approach is to skip unnecessary Setup Assistant screens while retaining key steps such as local account creation and password requirements. The user still knows the device is managed by the organization and sees a custom MDM prompt on the enrollment screen.

Setup Assistant design
  keep: language, network, local account, secure password
  skip: nonessential screens that slow deployment
  show: custom MDM enrollment notification
  finish: install required apps and security profiles

Key points:

  • keepRepresents user input that cannot be omitted, especially local account and password policies.
  • skipCorresponding to the practice of reducing screen settings in the speech, the purpose is to truly shorten the time from unboxing to the desktop.
  • showLet users know clearly that the device is being added to the organization’s management, in line with Apple’s emphasis on transparency.
  • finishIt is the landing action after the registration is completed. The application and security configuration should be ready before and after the user reaches the desktop.

4. The order of implementation of application, identity and security policies

(10:58) Once a device enters MDM, Apple automatically installs business-critical apps and configures mail, calendar, VPN, and internal wireless networks. After the user logs in to the Single Sign-On (SSO, single sign-on) client, MDM can also deliver different configurations, policies, applications, and settings to the device based on the LDAP group and user role.

MDM enrollment completes
  -> install business-critical apps
  -> configure Mail, Calendar, VPN, and Wi-Fi
  -> read identity through SSO and LDAP groups
  -> scope profiles, policies, apps, and settings by role

Key points:

  • install business-critical appsIt is suitable for placing automatic installation queues to ensure that employees can work immediately after opening the desktop.
  • configure Mail, Calendar, VPN, and Wi-FiCorresponds to the basic productivity configuration in the speech.
  • read identity through SSO and LDAP groupsTurn user identity into a management condition.
  • scope profilesLet different departments, positions or security levels get different policies to avoid one set of configurations covering all devices.

5. How to deal with lost contact, resignation and non-compliant equipment

(13:20) The speech lists several types of security treatments: removing MDM configuration data, deleting only specific configurations or provisioning profiles, remotely wiping Mac, and remotely locking devices. These actions require the device to have a network connection to receive commands.

if device is lost, stolen, out of policy, or user leaves
  option A: remove the MDM configuration profile
  option B: remove selected configuration and provisioning profiles
  option C: remotely wipe the Mac
  option D: send remote lock command

Key points:

  • option AThis will end the device’s relationship with MDM and remove the accounts and settings installed by MDM.
  • option BKeep devices managed and only clean up configurations that need to be removed, so devices don’t have to be re-registered when they return to a compliant state.
  • option CUsed to permanently delete media and data.
  • option DIt is suitable to lock the access entrance when the device is lost, and the administrator can set the unlock password.

6. App distribution does not rely on personal Apple ID

(14:46) Apple uses VPP and MDM to distribute apps to devices instead of requiring users to first configure an Apple ID or accept an invitation. For a large number of devices, macOS content caching also locally caches apps, system updates, and other Apple content.

device-based app management
  -> assign apps through Apple Business Manager and MDM
  -> install apps without a user's Apple ID
  -> use macOS content caching for large fleets
  -> prepare for managed apps in macOS Big Sur

Key points:

  • device-based app managementIdeal for shared devices, new employee devices, and scenarios without personal Apple IDs.
  • install apps without a user's Apple IDReduce account blocking on the first day of employment.
  • content cachingIt can reduce the pressure on the external network caused by large-scale installation and system updates.
  • managed apps in macOS Big SurAs a follow-up direction mentioned in the speech, IT can prevent critical apps from being removed.

Core Takeaways

1. Make a remote onboarding equipment package

  • What to do: Prepare a Mac distribution process for new employees that automatically registers, automatically installs apps, and automatically configures network and security policies.
  • Why it’s worth doing: The core scenario of this session is that the device is sent directly to the employee, and after the first boot, they enter the MDM and complete the necessary configuration.
  • How ​​to start: First confirm in Apple Business Manager that the device can be assigned to MDM, and then make the Setup Assistant skip items, preset configurations, and business-critical apps into a minimum policy group.

2. Do an MDM connectivity check under the proxy network

  • What to do: Establish an APNs proxy connectivity checklist for the managed network.
  • Why it’s worth doing: The talk explicitly mentions that APNs can communicate through a PAC-specified web proxy, suitable for industry networks that deny outbound traffic by default.
  • How ​​to start: Confirm with the network team how to discover the PAC URL, use configuration data to deliver proxy settings, and then verify that the device can receive MDM commands.

3. Create a configuration strategy layered by identity

  • What: Let different LDAP groups or user roles receive different applications, profiles, and security policies.
  • Why it’s worth it: Apple’s internal process obtains user information through the SSO client and uses LDAP groups and roles to determine management scope.
  • How ​​to start: First select a department for piloting, break down email, VPN, Wi-Fi, FileVault and application installation into reusable policies, and then scope them by group.

4. Make a response script for non-compliant devices

  • What to do: Write an MDM operation script for the four types of situations: loss, theft, resignation, and non-compliance.
  • Why it’s worth doing: The speech lists remote lock, remote wipe, remove configuration data and retain MDM relationship cleanup configurations, corresponding to different risk levels.
  • How ​​to get started: Define trigger conditions, approvers, MDM commands and user communication templates for each type of event and practice on test devices.

5. Make a device-level App distribution baseline

  • What to do: Change business-critical apps to device-level distribution to reduce the impact of user Apple IDs on the deployment process.
  • Why it’s worth doing: The speech explains that VPP and MDM can distribute apps directly to devices, which is suitable for large-scale deployment and sharing of devices.
  • How ​​to get started: Purchase or distribute apps in Apple Business Manager, separate required and self-service installations into two groups, and enable macOS content caching for large-scale networks.

Comments

GitHub Issues · utterances