Skip to content
wwdc 2024: what apple admins need to know
Blog Recent News WWDC 2024:...

WWDC 2024: What Apple Admins Need to Know

Kandji Team Kandji Team
8 min read

WWDC 2024 has concluded, so we now have the road map to new features coming to Apple's software platforms for the rest of 2024. While much of the show coverage focused on Apple’s efforts to make AI user-friendly, there were plenty of other announcements that Apple IT admins need to know about. Here are our picks of the most important.

Activation Lock

Activation Lock is one of Apple’s main theft deterrents: When a device is marked lost—whether by a user with Find My or iCloud.com, or by an admin via MDM—Apple requires a password or key before the device can be used again.

However, a problem arises when a user passes on a device without turning Activation Lock off or if MDM fails to remove it. The device can’t be activated (even if it’s been erased), and the user that it’s been reassigned to can’t use it, until that lock is lifted. 

Currently, such lifts require help from Apple support and proof of purchase. But admins can now turn off Activation Lock for organization-owned Mac, iPhone, iPad, Apple Watch, and Apple Vision Pro devices using Apple Business Manager (or Apple School Manager).

The really nice part: Apple Business Manager can remove both user-based and device-based locks. On Mac, this works even if the user turned Activation Lock on using a personal Apple Account before the computer was enrolled in MDM.

Automated Device Enrollment for Vision Pro

Apple is continuing its efforts to make the Apple Vision Pro enterprise-friendly. The newest evidence: Apple Vision Pro can enroll automatically in MDM via Automated Device Enrollment through Apple Business Manager, just like Mac, iPhone, iPad, and Apple TV. visionOS 2.0 will also inherit many of the MDM capabilities that are already available on iOS and iPadOS.

Safari Extensions Management

An organization might want specific Safari browser extensions installed and turned on to provide access to internal services. Alternatively, it might want to prevent users from using certain extensions.

In macOS Sequoia and iOS/iPadOS 18, admins will be able to manage Safari extensions on supervised devices via MDM. That means they could:

  • Define which extensions are allowed;
  • Control which extensions are always on or always off; and
  • Configure an extension to access websites by specific domains and subdomains.

Such management will work for both standard and private browsing; in typical Apple privacy-preserving fashion, users will be informed if extensions have been turned on by their organization.

Although many organizations today standardize on Google Chrome, moves like this from Apple make it more feasible for IT and security organizations to adopt Safari as a preferred browser.

Background Task Management

With macOS Sequoia, admins will be able to install executables, scripts, and launchd configuration files via MDM, and those files will be stored in a secure and tamper-resistant location. This is similar to the tools Apple provided in macOS Sonoma for service configuration files. It’s an easy way for organizations to deploy and control managed services. We think it’s going to be especially useful for organizations to deploy tools for developers in a secure way.

Managed Apple Accounts

Apple is taking two steps to make Managed Apple IDs—now known as Managed Apple Accounts—more useful in the enterprise.

First, admins can now mandate that only managed Apple Accounts can be created on their domains. They can do that without turning on federation with an identity provider; they just need to verify their domain. 

Organizations can also “capture” personal Apple Accounts that use their domain, without needing to connect to an IdP. Users who have Apple Accounts that were originally created on the company’s domain will have the option of relinquishing control of the account back to the organization or converting it to an organizational one.

Both steps further reduce the friction for organizations that have not yet adopted Managed Apple Accounts. That’s important for the adoption of passkeys by organizations, because users can’t share passkeys that are stored in the iCloud keychain of a Managed Apple Account. 

Managing Locked and Hidden Apps

In iOS/iPadOS 18, users will be able to hide apps from the Home Screen and or require authentication (with Face ID, Touch ID, or a passcode) before opening them. (Hiding an app will also lock it.) Fortunately, admins will have some tools to manage that hiding and locking.

That will include preventing the hiding and locking of apps on supervised devices. It will also mean the ability to control these features for managed apps on a per-app basis. 

Software Updates via DDM

Apple is continuing to migrate MDM functionality to its more modern declarative (DDM) framework. Next up for DDM: Software update settings for Mac, iPhone, and iPad. This fall, declarative management will replace MDM profiles for software update restrictions, settings, commands, and queries. There won’t be any net new functionality; your MDM solution will have to implement the change under-the-hood. But moving software updates to DDM should, in theory, make those updates more resilient and reliable.

Beta Testing OSes

Another change that will be coming, thanks to DDM, is better management of beta testing programs for new Apple operating systems.

Enrolling users in such programs has previously required a lot of manual intervention by admins. DDM should reduce that friction, allowing IT teams to: 

  • Remotely enroll devices into multiple beta programs;
  • Implement phased rollouts;
  • Control the versions of beta software that are installed on supervised devices;
  • Provide better visibility into what’s installed on managed devices; and
  • Add devices to a beta program using an organization token (meaning users won’t need to sign in with an Apple Account.

Like other DDM improvements announced at WWDC, an MDM solution needs to incorporate those changes for you to take advantage of the improvements.

There were plenty of other announcements at WWDC, which we’ll be sifting through and mulling over in the weeks ahead. Stay tuned!

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to the way IT, InfoSec, and Apple device users work today and tomorrow.