WWDC Quick Look 💓 By SwiftGGTeam
What's new in managing Apple devices

What's new in managing Apple devices

Watch original video

Highlight

Apple has established Declarative Device Management as the standard for enterprise device management. In macOS 27, iOS 27, and iPadOS 27, new capabilities such as reusable credentials, system health monitoring, unified privacy permission prompts, binary execution controls, and web authentication for sign-in let IT administrators manage entire device fleets with less polling, finer granularity, and more automation.

Core Content

From polling to declarations: a paradigm shift in device management

Traditional device management depends on servers repeatedly sending query commands to devices to confirm state and deliver configuration. The more devices you have, the more server load and latency you create. Declarative management changes that model: IT administrators define “what state the device should be in,” and devices automatically report changes to the server without polling.

(02:43) Apple is clear that declarative management is no longer a future feature on a roadmap. It is in production and running across device fleets around the world. If you manage devices today without using it, your work is heavier than it needs to be.

Apple Business expands broadly

(00:45) Apple Business now covers more than 200 countries and regions. Organizations get zero-touch deployment, Managed Apple Accounts, and built-in device management capabilities.

The accompanying REST APIs have also expanded, with support for creating Blueprints and configurations, modifying users and groups, querying app license information, and retrieving audit events. Together with existing APIs for device inventory management and AppleCare warranty lookup, these form a complete automation chain for management.

(01:53) App Store app subscriptions also gain bulk licensing, so IT administrators can assign app subscriptions to employees through device management services just like they distribute regular apps.

Credential management: update once, apply everywhere

(05:19) Configuration profiles have an old problem when they reference credentials: multiple profiles may contain the same certificate or password, and updating it requires replacing each profile individually. Declarative management’s many-to-many relationship model solves this pain point.

Now multiple configurations can reference the same declarative credential asset. When a credential needs to be refreshed, the server only modifies that asset once, and the device automatically updates every configuration that references it. This greatly simplifies certificate rotation and identity lifecycle management.

(06:00) New declarative configurations use declarative assets consistently whenever they need credentials, whether those credentials are certificates, identities, or passwords.

Status channel: from passive queries to active pushes

(06:11) The declarative status channel lets devices proactively push updates to the server when state changes, eliminating the need for polling. This update adds several new status items:

  • Enrollment type
  • Awaiting device configuration state
  • Return to service state
  • Shared iPad state
  • The device’s current push token
  • Whether the user has enabled Lockdown Mode

(06:48) iOS and iPadOS 27 also add device system health status items, covering hardware components such as baseband, camera, Face ID, and Touch ID. IT administrators can see a fleet-wide health overview in a dashboard and take preventive action before issues affect users.

Log collection and Content Caching

(07:24) IT administrators can now start enhanced log collection on organization-owned devices with the new TriggerEnhancedLogCollection command, making it easier for AppleCare to analyze issues. Combined with declarative status, collection progress can be monitored in real time.

(08:12) macOS 27 adds declarative configuration and status items for Content Caching. IT administrators can directly control the caching service on a Mac and monitor its health. Caching servers can also send reports directly to any HTTPS endpoint, making it easier to build more advanced monitoring consoles.

App management: macOS catches up

(09:48) Declarative app configuration from iOS, iPadOS, and visionOS now comes to macOS 27. Enterprise apps can receive secure credential configuration, including support for hardware-bound keys and Managed Device Attestation, to authenticate apps and extensions to enterprise servers.

(10:35) macOS 27 also allows all files and directories installed by a package to be removed when the corresponding declarative package configuration is removed. This avoids leftover files after a configuration is removed.

Privacy permissions: from many dialogs to one unified prompt

(10:59) Apps employees use every day may repeatedly request permissions for the camera, microphone, location, and more. Users who click through quickly can easily choose the wrong settings. iOS, iPadOS, and macOS 27 introduce a unified privacy consent prompt.

On first launch, users see a summary prompt that includes:

  • The organization and app name
  • The reason provided by the IT administrator
  • The default value for each privacy component and the corresponding reason

When the user clicks “Allow,” all default settings take effect at once and no further prompts appear. If they click “Not Now,” the existing behavior remains and each permission is prompted when used. The “Allow” button is highlighted by default, guiding users toward the correct choice.

(12:36) Safari website permissions use the same unified prompt mechanism. IT administrators control these permissions through declarative app.settings and safari.settings configurations.

Binary execution controls

(13:19) Enterprises need to control which apps and binaries can run on Macs to satisfy compliance requirements. macOS 27 adds declarative management settings for controlling binary execution, implemented on top of the Endpoint Security framework.

Rules use code-signing attributes to match binaries, ensuring precise control. You can also choose to automatically allow all managed apps, avoiding the need to add a separate rule for every app. When a binary is denied, its associated processes are terminated.

Platform SSO: more flexible, more secure authentication

(15:06) Platform SSO receives several major upgrades on macOS 27.

Require Touch ID: (15:56) IT administrators can require users to use both a password and Touch ID on organization-owned devices, providing built-in two-factor authentication. This is enforced for sign-in, screen unlock, and FileVault unlock.

Web authentication: (16:55) macOS 27 introduces a WebView-based authentication option. Identity providers can render a secure WebView in the login window and screen unlock interface, running any modern authentication flow, including custom challenge-response sequences, one-time codes, conditional access push notifications, and QR code passwordless sign-in.

The WebView runs in an execution context tightly controlled by the operating system. During QR code scanning, the camera operates entirely in a separate secure system process. The web page receives only the decoded data and never receives the raw camera view or image data.

(18:02) Offline authentication is also supported, ensuring continuity of secure access for devices that are not connected to the network.

Authenticated Guest Mode: (18:43) Users such as nurses and doctors who need to move quickly between shared Macs can now sign in with Authenticated Guest Mode on FileVault-encrypted Macs. Data from the temporary session is automatically cleared after sign-out, while full-disk encryption protects the device’s data. This capability requires no extra configuration and is automatically available on devices where Authenticated Guest Mode is enabled.

(19:54) Shared iPad will also support Authenticated Guest Mode during this update cycle. The iPad starts into a temporary session, and the user signs in with a Managed Apple Account, with support for native authentication and federated identity authentication (SSO). The temporary session shares device capacity with the system and has no hard quota limit. After sign-out, all local data and accounts are automatically cleared.

Classroom adds guided browsing

(20:55) Teachers can use the Classroom app to lock students to one or more specific website tabs, or lock them to a single tab for immediate focus. Teachers can enter URLs directly or use favorites prepared during lesson planning. They can restrict students’ ability to navigate within or outside a website, and can also grant camera and microphone access, which students can choose whether to keep enabled.

Details

Data model for declarative credential management

The core advantage of declarative management is its relationship model. Traditional configuration profiles are one-to-one: one profile contains one credential. The declarative model supports many-to-many relationships:

Configuration A ──┬── Credential asset X ──┬── Configuration B
                  │                        │
                  └── Credential asset Y ──┘

When Credential Asset X is updated, Configuration A and Configuration B both receive the new credential automatically, with no need to push separate updates.

(05:48) The server-side flow for modifying an asset:

  1. Create or update a declarative credential asset, such as a certificate, identity, or password
  2. The device receives the asset change
  3. The device automatically updates all configurations that reference the asset
  4. The device confirms completion to the server through the status channel

Component list for device system health status items

(07:05) System health components reported by iOS and iPadOS 27 include:

  • Baseband
  • Camera
  • Face ID
  • Touch ID
  • Other hardware components

After IT administrators subscribe to these status items, devices automatically push updates when component state changes.

How to configure the unified privacy prompt

IT administrators define privacy permissions through declarative configuration:

  1. Determine which privacy components users need to access, such as camera, microphone, and location
  2. Provide a justification string for each component
  3. Create an app.settings or safari.settings declarative configuration
  4. Specify the app or website and the corresponding list of components

When users first launch the app or visit the website, the system presents a summary prompt. This prompt includes the organization-level reason provided by the IT administrator and the app’s own reason for each component.

Rule matching for binary execution controls

(14:13) Binary execution control rules in macOS 27 match based on code-signing attributes, including:

  • Team identifier
  • Signing identifier
  • Certificate hash
  • Other code-signing attributes

Rules can be set to allow or deny. All processes associated with a denied binary are terminated. You can also enable “automatically allow managed apps” to simplify rule maintenance.

Security architecture of Platform SSO web authentication

(17:10) Key points in the security design of WebView authentication:

  1. The WebView renders in an execution context controlled by the operating system
  2. Identity providers can run any modern authentication flow
  3. During QR code scanning, the camera operates in a separate secure system process
  4. The web page receives only the decoded string data
  5. Raw image data and the camera view are never exposed to web content

This design covers the login window, screen unlock, and FileVault unlock, while also supporting offline authentication.

Key Takeaways

Build an enterprise device health dashboard

What to do: Use the new system health status items and Content Caching status items to build a real-time monitoring panel. Subscribe to the health state of device baseband, camera, Face ID, and Touch ID, combine it with caching server status, and proactively warn before issues affect users.

Why it is worth doing: Device hardware failures often show signs before users file complaints. Detecting a broken camera or abnormal Face ID behavior early lets IT arrange repairs or replacements proactively and reduce work interruptions.

How to start: Subscribe to com.apple.system.health and Content Caching-related declarative status items, then aggregate them in an MDM console or custom dashboard.

Simplify enterprise certificate rotation

What to do: Abstract enterprise root certificates, Wi-Fi certificates, VPN identities, and similar credentials into reusable declarative credential assets shared by multiple configurations.

Why it is worth doing: Traditional configuration profiles contain credentials one-to-one, so profiles must be replaced individually before a certificate expires. Declarative assets only need to be updated once, and every configuration that references them takes effect automatically. Operations work drops from “push one by one to devices” to “change one place and apply globally.”

How to start: Use the credential asset type in declarative management, extract certificates from existing profiles into independent assets, and update configurations to reference assets instead of embedding certificates.

Design seamless sign-in for shared device scenarios

What to do: For shared devices in healthcare, retail, and logistics, build a frictionless temporary session experience based on Platform SSO web authentication and QR code sign-in.

Why it is worth doing: Nurses and doctors need to switch quickly between shared Macs, while traditional sign-in requires entering a password each time. Authenticated Guest Mode lets users sign in by scanning a code or tapping an employee badge, clears data automatically after the session ends, and balances efficiency with security.

How to start: Configure Authenticated Guest Mode plus Platform SSO web authentication, enable automatic sign-in in provisioning options, and integrate the identity provider’s QR code authentication flow.

Develop compliance-driven binary control

What to do: Use binary execution controls in macOS 27 to build app allowlist and denylist systems for enterprises.

Why it is worth doing: Industries such as finance and healthcare have strict compliance requirements for what software can run on devices. Precise matching based on code-signing attributes is more reliable than file paths or process names, preventing attackers from bypassing controls by renaming files.

How to start: Create a declarative app.settings configuration, set Endpoint Security rules, match binaries by team identifier, signing identifier, or certificate hash, and enable “automatically allow managed apps” to simplify maintenance.

Improve classroom management tools for education

What to do: Build companion teacher preparation tools on top of Classroom’s new guided browsing capability.

Why it is worth doing: Teachers can preconfigure website favorites and permission templates, then distribute them to student devices with one tap during class, locking students to specific website tabs. This is far more effective than verbally asking students not to switch pages.

How to start: Integrate Classroom’s guided browsing API, pair it with website bookmark management, and let the teacher app preconfigure URL lists and navigation restrictions for each lesson.

  • What’s new in App Attest — Learn how to securely identify enterprise apps, complementing Managed Device Attestation in declarative app configuration
  • Assessment mode — Device lockdown for exams and assessments, related to Classroom guided browsing in education
  • What’s new in Apple Intelligence — Declarative controls for Apple Intelligence and Siri are directly related to the device management policies in this session
  • What’s new in SwiftData — Enterprise app persistence options that can be used with managed app configuration
  • What’s new in in-app purchase — Bulk licensing for app subscriptions connects to the enterprise subscription distribution covered in this session

Comments

GitHub Issues · utterances