Blog Post

Microsoft Intune Blog
5 MIN READ

Microsoft simplifies Endpoint Manager enrollment for Apple updates

Andy_Cerat's avatar
Andy_Cerat
Icon for Microsoft rankMicrosoft
Jul 19, 2022

Apple hosted the WWDC 2022 conference announcing several updates within the endpoint management space. Microsoft is building on those updates and is committed to providing support in Microsoft Endpoint Manager for iOS 16 and macOS 13 Ventura in the months following these fall releases. This commitment demonstrates our continued efforts to simplify endpoint management for IT administrators across platforms, including Apple devices, to strengthen your company's security posture and improve experiences for everyone in your organization.

Platform single sign-on (SSO) for Mac

We are excited about the introduction of Apple's Platform single sign-on (SSO) for macOS 13, because we believe it will help deliver on our vision for users to only authenticate once on their device.

With this update, the SSO extension will be extended to the macOS login window, allowing users to utilize their Microsoft Azure Active Directory (Azure AD), or company account, credentials to unlock their Macs. This will automatically keep a device's local account password in sync with the user's company cloud password, creating a more seamless sign-on experience. With Microsoft Endpoint Manager, IT admins will be able to create an MDM configuration profile with the SSO extension payload to configure this highly requested capability that improves the experience for people using a Mac device.  

Apple’s Single Sign-on extension keeps a user’s company credentials in sync with the device account information for macOS.*

We know so many of our customers have been asking for this functionality, and we are excited to see it available in the macOS platform in the fall. The Microsoft Entra and Endpoint Manager teams are working hard in anticipation of this change and will share more details about the expected experience and timeline in the coming months.  

The future of bring your own device (BYOD) for iOS/iPadOS

For personal devices – bring your own device (BYOD) enrollment – we are always looking for ways to improve the experience to help secure, manage and get iOS/iPadOS devices up and running as quickly as possible. Over the past year, we have been working to introduce an account-driven user enrollment experience and will soon release a public preview for devices running iOS/iPadOS 15+.

While the functionality and post-enrollment experience of account-driven user enrollment for BYOD will remain the same as the original experience, the updated flow will bring several improvements to the enrollment experience itself. This includes displaying a user's managed Apple ID directly in the Settings app, reducing the Management Profile download to one simple step that no longer requires users to download the iOS Company Portal app.

iOS Settings showing Apple ID that will be used in Profiles and Device Management.*

Account-driven user enrollment also leverages the new Just-in-Time (JIT) Registration feature, allowing Apple's single sign-on extension functionality to handle Azure AD registration within the Microsoft 365 apps themselves. This ensures that SSO is established across the device and requires only two authentication steps to fully enroll the device with Intune, register it with Azure AD and have it become compliant with policies for Conditional Access.

With Apple having announced Enrollment SSO at WWDC22, part of the account-driven user enrollment experience, our vision to only require a user to perform a single step for authentication on a device is finally realized. Our goal is to ensure devices are secure and compliant throughout cloud device management (MDM), but in a way that allows the user to be productive as fast as possible. Enrollment SSO will help us do that by further improving the enrollment experience on iOS/iPadOS devices. We are enabling IT administrators to configure the SSO extension with an MDM policy before any authentication. That single authentication can set up the SSO experience across the device, creating an ideal experience for the user.

MDM protocol: Declarative Device Management for all

Declarative Device Management (DDM) was introduced to User Enrollment on the iOS/iPadOS platform last year and focuses on bringing policy management to the device rather than through the server. This year at WWDC22, Apple announced they will be bringing DDM to all platforms and enrollment types, including macOS and Automated Device Enrollment.

Microsoft is excited to bring DDM to Endpoint Manager because this will improve performance on policy delivery, device compliance, app inventory and much more. Our plan is to build DDM configuration options directly into our Settings Catalog. Starting in August, any configuration in the Settings Catalog for User Enrollment for iOS and iPadOS will be DDM. As we prepare for the releases of iOS 16 and macOS 13 Ventura in the fall, we have plans to expand DDM to more platforms and enrollment types in Endpoint Manager to match Apple support. These new platforms and enrollment types will leverage the Settings Catalog in the same way as User Enrollment. One of the DDM features we are excited about is the ease with which it co-exists with existing MDM protocol. Existing MDM configurations can be deployed via the DDM protocol, which will allow for flexibility during the full migration to DDM over time.

Apple’s plans to support iOS and macOS enrollment methods in iOS 15+ and macOS 13.*

Managed Device Attestation

Managed Device Attestation is a new security feature for managed devices that ensures only verified and certified devices can connect to your company's servers and access your organization's resources. By using the Secure Enclave and cryptographic attestations, Managed Device Attestation allows for secure communication with the MDM server. The attestation certificates verify several things about a device, including various device properties and confirm the device is genuine Apple hardware. This can help prevent attackers from performing malicious activities such as TLS private key theft or misrepresenting or masking device properties. Microsoft is pleased with the Managed Device Attestation, because of the high demand for improved security built into the Apple device experience.  Just the basic implementation of this update will provide many security-related improvements immediately and will also provide a foundation for additional capabilities in the future.

Through Apple's Managed Device Attestation, a device uses the same private key to validate itself with Apple, the ACME server, and the MDM server. The attestation certificate describing this device ensures a device's identity is legitimate.*

The September timeframe always brings anticipation and excitement about new capabilities in the updated version of the Apple operating systems for people who love their Apple devices. Microsoft works closely with Apple, our customers, and partners to ensure the updates are simple to manage, increase the organizational security posture and deliver the best possible experience for people on the devices they know and love. As these updates roll out in the coming months, please continue to provide your feedback about the apps and endpoint management capabilities delivered by Microsoft Endpoint Manager.

Learn more

For guidance on support, please see Support statement for supported versus allowed iOS/iPadOS versions for user-less devices


Keep up with the latest Microsoft Endpoint Manager announcements and resources. Bookmark the Microsoft Endpoint Manager Blog. Join the conversation on Twitter at @MSIntune and at #EndpointManager on LinkedIn.

 

* Image source: WWDC22

Updated Jul 25, 2022
Version 2.0