On September 12th, Apple released iOS 16, which will be followed by the iPadOS 16 and macOS 13 Ventura releases in October. We’ve been working hard to ensure that Microsoft Intune is prepared to provide Day zero support for Apple’s latest operating systems (OS) so that all existing Intune features that are currently available for managing Apple devices will continue to work seamlessly as users upgrade their devices. We’ll continue to upgrade our service and release new features that integrate elements of support for the new OS versions.
Declarative Device Management (DDM)
With Intune’s 2208 service release, we announced support for DDM for User Enrolled devices running iOS/iPadOS 15 and higher.
We will be releasing DDM support for all enrollment options, including on iPadOS 16+ and macOS 13+ devices as Apple releases support for these new OSes. Intune enrolled devices will automatically use the new DDM protocol when being targeted with a new policy, allowing for more reliable and efficient device check-ins. Note that this will not impact the current experience, and devices that don’t meet the DDM requirements will continue to use the standard mobile device management (MDM) protocol.
Troubleshooting tip: DDM is automatically enabled when creating policies with the settings catalog for User Enrolled devices running iOS/iPadOS 15+. If you come across issues while configuring policies, the device configuration “Templates” can be used as a workaround. In some cases, un-targeting and retargeting devices may also help.
User Enrollment and Enrollment SSO
We’ve been working on providing full support for Apple’s Account-Driven User Enrollment flow and Enrollment SSO. This will bring us to our vision of requiring a user to perform only one authentication on a device to become fully enrolled. A public preview for the new Account-Driven User Enrollment flow and Enrollment SSO will be released after we roll out our Just-In-Time Registration. Keep an eye out on Intune’s What’s new and In development documentation for updates.
Device configuration and settings
We’ve added Day Zero support for Apple’s new skip keys for Automated Device Enrollment for devices running iOS/iPadOS 16 and higher and macOS 13 and higher. These settings are critical for our customers to be able to customize their users’ onboarding flows and properly configure their devices. Support will become available on each platform as the OS versions release.
The TermsOfAddress setting in all Automated Device Enrollment profiles will allow admins to hide or show the Setup Assistant screen that shows the Terms of Address pane.
In addition to Apple’s new skip keys, we’re excited to provide support for the following new Apple settings and features available with the latest OS releases:
Enable XLAT464 can be used to enable or disable XLAT464 on devices. If this setting isn’t specified, then the system default is used.
Privacy Preferences Policy Control
System Policy App Bundles allows specified applications to update or delete other apps.
Allow Universal Control can be used to allow or prevent users from using a single keyboard and mouse between a Mac and an iPad.
Allow UI Configuration Profile Installation requires a supervised device and can be used to allow or prohibit users from installing configuration profiles and certificates interactively.
Allow USB Restricted Mode requires a supervised device and can be used to bypass or require authorization when new USB accessories are connected.
Allow Rapid Security Response Installation can be used to allow or prevent rapid security responses from being installed.
Allow Rapid Security Response Removal can be used to allow or prevent rapid security responses from being removed.
Support for these settings on devices running iOS/iPadOS 16 and higher and macOS 13 and higher will be available following Apple’s OS release in October.
Earlier this year, Apple announced that cellular device related keys in the Device Information response were deprecated and would not be returned in a future version of iOS and iPadOS. These keys were duplicates of those returned in the Service Subscriptions response and we’ve migrated our inventory to use the Service Subscriptions response. In addition to the migrated settings, this response also contains slot-specific information, which we hope to use to improve reporting for situations when multiple SIM cards are available on devices.
Keep us posted on your favorite new feature and as always let us know if you have any additional questions or feedback. You can comment on this post or reach out to us on Twitter by tagging us at @IntuneSuppTeam.