Apple has released its latest generation of operating systems—macOS Sequoia, iOS and iPadOS 18 and tvOS 18—and Kandji is ready for all of them. Right now, on Day 1 of their release, you can deploy these new OSes to your Apple endpoints and then manage their new features using Kandji.
Available Now
The most obvious indicator of our support for the new operating systems is that you can deploy them using Kandji’s Managed OS Library Items. The new Library Items for macOS Sequoia, iOS 18, and iPadOS 18 will become available throughout the day today.
(Of course, you may not want to deploy them just yet if you haven’t yet confirmed that your current environment is ready for them. Here’s how to do that.)
But our Day 1 support doesn’t stop there.
Restrictions
We’ve also added restrictions for notable new features, including Apple Intelligence: You can disallow Genmoji, Image Playground, personalized handwriting results, Image Wand, and Writing Tools. (Remember that Apple Intelligence is still technically in beta for now.)
Other new restrictions include controls for eSIM outgoing transfers, iPhone mirroring, and remote screen control via FaceTime. You can also force-preserve eSIMs on erase and disallow auto-dimming.
Declarative Device Management
The Managed OS Library Items for iOS and iPadOS 17 (and later) and macOS Sonoma (and later), which use Declarative Device Management (DDM) to let devices proactively and independently manage software updates, now let you specify a Details URL, which can link device users to a URL providing for more details about the update process. Upgrades to macOS 15 initiated via Self Service from macOS 14 and later apply a “just in time” DDM declaration to begin the upgrade process.
Our new Disk Management Library Item—which allows admins to define mounting policies for external and network volumes—also relies on DDM for reliability and ease of management. (Note: When it comes to managing external media, Kandji EDR still provides richer controls.)
We’re also using DDM to let Kandji admins manage Safari extensions on iOS and iPadOS, including whether to allow or deny them in normal or Private Browsing modes and to configure the domain(s) they can access.
System Extension Management
We also now allow IT teams to specify whether or not users can turn off MDM-managed system extensions in System Settings, via our System Extension Library Item. Note that all existing system extensions configured in System Extension Library Items have been opted into the choice, so users can’t turn off the managed extensions; Kandji will automatically redeliver the resulting system extension profiles to all Mac computers as they upgrade.
Other Updates
Among the other changes we’ve made to accommodate the new OSes:
- We’ve updated our Home Screen Layout Library Item so it can place the updated Calculator and the new Passwords apps on the Home Screen;
- We’ve added the ability to skip new screens during Automated Device Enrollment, including Apple Intelligence (iOS/iPadOS); Action Button (iOS); Welcome for Mac (macOS); Apple Intelligence; and Wallpaper.
- You now control XProtect malware uploads in the Gatekeeper Library Item and disable MAC Address Randomization (macOS) in the Wi-Fi Library Item.
More to Come
But that’s not all. This Wednesday we’ll release the latest version of our web app, which will bring yet more management to Apple’s new operating systems.
Software Updates
The Software Update Library Item is being updated to take advantage of DDM when appropriate for the endpoint. With new or existing Library Items, Kandji will deliver the appropriate settings to the right device families with the right management technique (MDM profile or DDM)—no admin intervention required.
That will bring some new options for iOS/iPadOS, including:
- When both an update and an upgrade are available for the device, you can specify the cadence of when those versions will be recommended in Settings;
- You can configure the settings for Rapid Security Responses (RSRs), so users can (or can’t) remove them;
- You can prevent users from enrolling in Apple beta programs; and
- You can configure whether devices show all software update enforcement notifications or just those that are triggered an hour before the enforcement deadline.
SSO and Kerberos
In addition, there will be new options for configuring PlatformSSO (assuming your IdP supports it). You can now require authentication at FileVault unlock (on Mac computers with Apple Silicon); the Login Window; or screensaver unlock. Additionally, you can allow TouchID or Apple Watch to unlock the screensaver. You can also define a grace period for these policies. You can also define accounts that will be exempt from using Platform SSO.
For the Kerberos extension built into macOS, you’ll be able to disallow smart cards and passwords; start in smart card mode; and filter identity certificates in that same circumstance.
Cumulatively, these changes mean you’ll be ready to manage your Apple endpoints when they’re ready to upgrade to Apple’s latest OSes.
About Kandji
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.