What’s new in managing Apple devices with iOS 17 and macOS Sonoma?

Apple@Work brings you Kolide, a device trust solution that ensures that if a device isn’t secure, it can’t access your cloud apps.If you have Okta, Kolide can help you bring your fleet to 100% compliance.They are Zero Trust for Okta.Learn more or request a demo today.

The Apple Worldwide Developers Conference 2023 is back, and now we’re turning our attention to beta testing summer, pre-training, and more.I’ll be detailing many of these announcements in the coming weeks, but I want to cover the high-level updates that Apple IT admins need to know for macOS Sonoma, tvOS 17, iOS 17, watchOS 10 (yes, Apple Watch goes into MDM) and iPadOS 17.

About Apple@Work: Bradley Chambers managed the corporate IT network from 2009 to 2021.Through his experience deploying and managing firewalls, switches, MDM, enterprise-grade Wi-Fi, hundreds of Macs, and hundreds of iPads, Bradley highlights how Apple IT managers deploy Apple devices, build networks to support them, and train users, stories from the IT management trenches, and ways Apple can improve its products for IT departments.

Registering devices based on an account

Account-based device enrollment is a streamlined solution that simplifies the process of enrolling company-owned iPhone, iPad, and Mac devices for management by using user work accounts.This innovative approach ensures that registration maintains a clear distinction between work and personal content.It also has the added benefit of enabling Device Control on macOS.With account-based device enrollment, the task of managing devices becomes more efficient and tailored to the needs of both users and organizations.

watchOS gets device management support

When an Apple Watch connects to a supervised iPhone, organizations can enroll and manage it with mobile device management (MDM) solutions.This extension to the MDM protocol opens up many possibilities for creating customized solutions that increase productivity, promote wellness at work, and enhance employee safety (eg noisy warehouses, etc.).The enrollment process entails declarative setup on the iPhone, unlocking the use of configuration profiles, application management, MDM commands, and declarations.

Configuration Assistant Forced Actions

Automatic device enrollment offers a way for organizations to ensure that their specific requirements are met before deploying devices in production environments.These enhancements allow organizations to specify a minimum OS version as a prerequisite for device enrollment, ensuring SOC2 compliance, etc. FileVault can also be used.In addition, organizations may require users to enroll their Macs in a management system when enrolling a device in Apple School Manager or Apple Business Manager.

Managed Apple ID Updates

This fall, Apple will also introduce some updates to managed Apple IDs, as well as additional iCloud and Continuity services.These updates include support for iCloud Keychain and Apple Wallet.Apple will allow organizations to restrict access to certain services and determine what control state a device should be in when a user signs in with a managed Apple ID.Here is some information that Apple has shared about the updates

Continuity: Users can use AirPlay for Mac, Auto Unlock, Continuity Camera, Continuity Markup & Sketch, Handover, Instant Hotspot, iPhone Cellular Calls, Sidecar, SMS, Universal Clipboard, and Universal Management.iCloud Keychain: Users can securely store and access their credentials (including passkeys) on all approved devices.Apple Wallet: Users can add cards and passes to Apple Wallet, including the ability to use Apple Pay.Developer Account: If enabled, managed Apple IDs created in Apple School Manager can participate in the Apple Developer Program.

Work passkeys in iCloud Keychain

Apple is adding PassKey support to iCloud Keychain and managing access to managed Apple IDs.This will allow organizations to deploy and enable passwordless authentication for internal services with access keys.

Support for custom identity provider for federation

To enable more companies to automatically create managed Apple IDs, integrations are supported with public and internal identity providers that support OpenID Connect, SCIM, and the OpenID Shared Signals and Events Framework.

SSO platform updates for macOS

With single sign-on enhancements on the Apple platform, developers can extend their single sign-on extension to create local user accounts on a shared Mac using credentials from the company’s IdP.In addition, the permissions and group membership of these users can be managed using device management tools.

Updates to Declarative Device Control

Software update management is now part of declarative device management and provides new options for when and how updates should be performed, including enhanced end-user notifications.To enable the transition, an MDM solution can migrate an already deployed configuration profile to a declarative legacy configuration without the need for redeployment and potential issues.

Managed device attestation for macOS

Managed device attestation is available on macOS and provides a strong guarantee of the security settings and properties of the device in question.

Support for 802.1X over Ethernet for iPhone, iPad and Apple TV.

iPhone, iPad, and Apple TV support 802.1X for Ethernet to connect to restricted networks that require authentication.While I don’t think this will be incredibly popular on the iPad and iPhone, it’s a much needed feature on the Apple TV.

Private 5G and LTE networks

With iOS/iPadOS 17, iPads and iPhones now support private 5G and LTE networks.IT administrators can automatically activate private networks when an iPhone enters the geofence and allow devices to prioritize private cellular over Wi-Fi.


These are some of the key updates for IT and security professionals with the new versions of iOS 17, iPadOS 17, tvOS 17, macOS Sonoma, and watchOS 10. I’ll cover them in more detail in the coming weeks.

Apple@Work brings you Kolide, a device trust solution that ensures that if a device isn’t secure, it can’t access your cloud apps.If you have Okta, Kolide can help you bring your fleet to 100% compliance.They are Zero Trust for Okta.Learn more or request a demo today.