The next few months are certain to be some of the most critical in device management since the term ‘MDM’ was widely adopted earlier this decade. Usually, when we talk about new OS releases within the frame of MDM, we focus on the new features. With iOS 13, however, it’s also critical discuss features that will no longer be supported, and changes in behavior to existing features.
DEP Changes
First, the term “DEP” is kind of going away (*though I suspect we’ll be using it as a catch-all for anything enterprise enrollment focused for years to come). Device Enrollment is a strategy encapsulated by a combination of UEM (provided by MaaS360) and Apple Business Manager (ABM) or Apple School Manager (ASM). Fundamentally ABM and ASM are the same, though there are some features unique to each environment.
The first item to note is that now all DEP* enrolled devices will be supervised, regardless of whether or not the DEP profile in MaaS360 has the feature enabled. This is great news and I’ll explain why a little further down.
Second, all devices on a DEP token, that are syncing with an EMM (meaning the token is active in the MaaS360 portal and the serial # listed in the token screen that lists devices on the tokens) will be forced to enroll. Devices on profiles that have “Require MDM Enrollment” unchecked will find themselves forced to enroll upon next factory reset, post iOS 13 upgrade. If there are VIP devices on tokens that are assigned these profiles, with iOS 13+ they should be removed from any tokens syncing with MDM services. Given the ability to add devices to DEP with Apple Configurator, it’s even possible to just disown them from the DEP portal entirely to avoid potential missteps (though I understand many companies prefer to have them all present for record keeping purposes).
Next feature centers around the ability to disable pairing iOS devices to a computer for iTunes/Apple Configurator services. This DEP Profile feature will be deprecated from iOS 13 onwards in favor of the MDM policy feature that has the same impact. This is a good move to make because the Profile feature only applied at time of enrollment, whereas the policy feature can be adjusted on the fly. It will allow for more granular control overall.
Unsupervised Restrictions
The features being deprecated from the unsupervised settings are fairly high impact - if they’re being relied upon. Apple has given everyone a nice heads up that some of these features were going away, and they’ve done a lot of work to ensure that as many clients as possible can deploy supervised devices.
The options for getting devices supervised are DEP/ABM/ASM and Apple Configurator. At least one of these should be at the heart of every iOS deployment. The former are the easiest - there were a lot of limitations early on, especially with regards to regional availability, but those have been (mostly) cleared up. I have talked to some clients that just flat out refuse to sign up because they are not willing to register for a DUNS number. I have to be honest, most of the cases I’ve heard against it are pure vanity items (with only occasional legitimate gripes). Don’t cut off your nose to spite your face, it only makes life harder on MDM admins and end users.
Here are some of the unsupervised features leaving with iOS 13
- Allow Installation Of Applications
- Allow Use of FaceTime
- Allow Siri
- Allow Use Of iTunes for Media Download
- Allow Use of Safari
- Allow Adding Game Center Friends
- Allow Documents Sync (iCloud)
- Allow Explicit Music and Podcasts Purchased from iTunes
- Allow Multiplayer Gaming
A lot of these features can be blocked via Supervised app compliance (that could remove Safari, for example) and other have equivalent Supervised settings (such as blocking installation of apps). All devices enrolled via one of the enrollment programs will be supervised with iOS 13 - great news for devices enrolling for the first time, but please note that this doesn't change the status of existing devices. Going from unsupervised to supervised still requires a factory reset.
The good news for those that have unsupervised devices deployed with these settings today is that an immediate upgrade to iOS 13 will not suddenly result in a change of behavior. However, if the device becomes unenrolled, restores from a backup, or some other action that severs management, upon re-enrolling those restrictions will no longer be enforced. Because the devices are unsupervised, there really isn’t anything that can be done to prevent updating to 13, or prevent users from removing management profile, so the fate of the device is up to whomever holds it, and how knowledgeable they are about device management.
We expect iOS 13 to become public very soon, so hopefully preparations are already in place. If not, no time like the present to get moving! Check out our some of our documentation and webinars on the subject in our Ongoing Product Education page in the Security Learning Academy - https://ibm.biz/learnmaas360
#MaaS360