OS upgrades 2025: enterprise

In June, Apple hosts WWDC, a time for them to show the world what they have been up to and what they will release later in the year. In September (and sometimes October), Apple releases their newest operating systems. This year, that happened on September 15.

Read our blog about same-day compatibility and the biggest features Jamf supports day one >>

This blog focuses on the features and enhancements that Jamf customers, IT admins and security leaders for commercial organizations are most excited about.

Table of contents:

• Apple Business Manager enhancements
  • Apple Business Manager APIs
  • Easier MDM migrations
• Device management enhancements
  • Return to Service: app preservation and Vision Pro inclusion
  • Simplified setup for Platform SSO on Mac
  • Platform Single Sign-On at setup configuration profiles
  • Safari management controls via declarative device management
  • App management controls via declarative device management
  • Managed software updates for Apple TV and Apple Vision Pro
• Why Jamf makes all the difference

Apple Business Manager enhancements

Apple Business Manager APIs

Apple Business Manager (and Apple School Manager) have historically been only accessible through the web browser. New this year is the Apple Business Manager API, which IT teams use to interact with device inventory data and their MDM. Administrators and site managers can create an API account to get device information or assign them to a device management vendor.

Why this matters: IT admins can now use these APIs to see lists of device management services in their organization, view device serial numbers assigned to a device management service, assign or unassign devices to a device management service, and more.

Easier MDM migrations

There is a massive update to Apple Business Manager and Apple School Manager, making it easier for organizations to migrate devices between MDMs. Organizations can now migrate organizationally-owned devices between MDMs without requiring a full device wipe and re-enrollment. This is a big, welcome technological shift for the market. With this update, Apple is helping help orgs move off legacy tools, consolidate systems or switch providers with less friction.

Why this matters: Easier migrations help organizations move to the cloud, to the products, services and tools that best support their needs. With this update, organizations can confidently migrate to Apple-first vendors that go beyond device management. With the evolving needs of IT and Security teams, managing and securing your Apple devices platforms goes beyond device management. Organizations need Apple-first tools to support their security posture, like endpoint security and compliance, user access, content filtering and more.

Device management enhancements

This section is inclusive of all Apple’s mobile devices, including iPhone, iPad, Apple TV, Apple Watch and Apple Vision Pro.

Return to Service: app preservation and Vision Pro inclusion

Return to Service is a workflow that instructs a wiped device to automatically reconnect to the Wi-Fi network and re-enroll in MDM. It removes the need for users to go through Setup Assistant screens, like having to select the language, region and Wi-Fi profile. Not having to select a Wi-Fi profile is critical, since a Wi-Fi profile is required to activate the device.

On devices with iOS, iPadOS and visionOS 26 and later, Return to Service can now preserve managed apps. The Return to Service workflow will securely erase user data, but app binaries remain to make the process even faster. On visionOS 26, admins will now be able to issue the Erase Device command with the Return to Service fields for supported devices.

Why this matters: This means that the device — including a shared device — is ready for the next user, while minimizing time and bandwidth requirements to make the transition. Return to Service is heavily used by organizations with shared device workflows, like in retail, education, healthcare and more. In healthcare, nurses use a Shared iPad for rounds. In education, students using a Shared iPad can quickly reset the iPad between students or class use. In retail, multiple employees can use the same iPad or iPhone for various tasks across their shifts. For all of these users, the device can now be returned to service, automatically enrolled in MDM, with managed app intact — further reducing set up time for shared devices.

Simplified setup for Platform SSO on Mac

Platform Single Sign-On creates secure ways to authenticate users seamlessly across apps and services. Platform Single Sign-On (PSSO) in macOS 26 gets a powerful new feature called “Simplified Setup for Platform SSO.” Prior to this addition, PSSO could only be set up and configured by the user after they have successfully created a local account on their Mac.

Simplified setup for PSSO flips that process on its head: organizations can now set up Platform SSO prior to the device management flow or as a required step in the Setup Assistant on a device enrolling into MDM with Automatic Device Enrollment (ADE). This means that identity setup is now part of the out-of-box experience via MDM and ADE. It’s seamless, secure and OS-native.

Why this matters: Apple is closing gaps in identity. Users get a streamlined experience, being immediately authenticated with the organization’s identity provider (IdP) before getting to the homepage. This also means PSSO, Managed Apple Account and MDM enrollment happen in one workflow. This, in turn, improves security and quicker onboarding/access to organizational resources.

Note: To fully implement this workflow, IdPs need to support Simplified Setup for Platform SSO for users to authenticate their Mac with their IdP.

Platform Single Sign-On at setup configuration profiles

To keep speaking to the enhancements of Platform SSO, there are also new keys available for IT admins:

• EnableCreateFirstUserDuringSetup

• NewUserAuthenticationMethod

• AccessKeyReaderGroupIdentifier

• AccessKeyTerminalIdentityUUID

• AllowAccessKeyExpressMode

• SynchronizeProfilePicture

• AllowDeviceIdentifiersInAttestation

Why this matters: With Platform SSO, a shared Mac deployment can support multiple users by enabling sign-in with credentials from IdPs. For example, Authenticated Guest Mode allows for temporary users to be created after IdP auth that allow simplified SSO extension authentication when logged in, and self-delete the account after logging out. This means organizations can help multiple users who work on the same Mac, like healthcare organizations helping nurses, technicians or other staff to more easily sign in to shared Mac in an exam room or common area. Here is the workflow:

1. A user can log in to any shared Mac using their work credentials at the login window. Login requires the device to be able to reach the IdP.

2. When they log in, macOS uses single sign-on to access apps and websites.

3. When they log out, macOS erases local data for the account, and the shared Mac is ready for the next user to log in.

Note: To fully implement this workflow, IdPs need to support Simplified Setup for Platform SSO for users to authenticate their Mac with their IdP.

Safari management controls via declarative device management

On devices with iOS, iPadOS, macOS or visionOS 26, organizations can customize the browsing experience for their users. This is done through the following configuration profiles:

• com.apple.configuration.safari.bookmarks

  • Organizations can preconfigure Safari bookmarks for users.

  • Bookmarks appear in a separate folder.

  • Bookmarks can be organized into subfolders for better structure.

• com.apple.configuration.safari.settings

  • Allows customization of what users see when opening a new tab or window.

  • Options include the default Safari start page, a custom organization-defined homepage, or a Safari extension-defined page.

Why this matters: For many orgs, Safari is the default browser. By further customizing the experience, users can access the most important resources for their job the moment they open a new tab or window. This also allows organizations to ensure consistent security and compliance across managed Apple devices.

App management controls via declarative device management

Mobile

Devices with iOS, iPadOS and visionOS 26 or later can use DDM to define installation and update behavior on a per-app basis. This gives organizations even more control over apps and their management:

• Organizations can enforce, disable and set automatic updates of App Store apps to follow user preferences.

• When installing apps from the App Store, they can install them with, and pin them to, a specific version, allowing for a more controlled release management process.

• To provide additional transparency about installed apps, the existing status report that provides insights into the app installation and management status now also contains

• Organizations can restrict app downloads over cellular networks (iOS and iPadOS only).

Mac

On devices with macOS Tahoe 26 or later, App Store apps, custom apps and packages can now be deployed using declarative device management. Both apps and packages will be able to be deployed as required or optional. And the status channel will update the server with the installation status. The ManagedAppDistribution framework that allows for MDM developers to create self-service apps will be available for the Mac later this year.

Why this matters: Apple continues its move to the declarative device management protocol. According to Apple’s documentation, declarative device management is also the preferred method for apps supporting PSSO.

Managed software updates for Apple TV and Apple Vision Pro

Managed software updates via DDM is not new. Prior to its introduction in iOS 17 and macOS, devices would need to consistently check in with the MDM to refresh the latest data. Now, with DDM-powered managed software updates, admins can specify the date and time of updates. Devices inform MDM when a change is made, instead of the MDM server constantly checking.

This year, managed software updates via DDM is available for Apple Vision Pro and Apple TV.

Why this matters: Using DDM to update devices is now complete across all of Apple’s platforms. Back in June at WWDC, Apple announced the deprecation of the older software update management using MDM. These older, less proactive workflows will continue to work for the time being, however, Apple announced these workflows will be removed in a future release.

Why Jamf makes all the difference

An Apple operating system release is an exciting (and busy) time for IT and security admins. You have to prioritize, test, re-test, understand the new technologies and update devices in a timely manner. At Jamf, supporting organizations by providing an easy upgrade path, while enabling the most impactful client features, is part of how we help organizations succeed with Apple.