What OS 16 Brings for Commercial Organizations

Apple announced its new iOS 16 and tvOS 16 operating systems earlier this week, and Jamf is excited to bring you same-day compatibility support for the 11th consecutive year. Read more about same-day compatibility in this release blog.

As Apple continues to evolve how employees work, Jamf is evolving how we enable organizations to succeed with their new operating systems. For Jamf, same-day support means delivering compatibility for Apple’s releases on the day they are available to you to help customers adopt Apple’s most critical workflows and extend the power of Apple-specific technology.

Commercial organizations are always looking for ways to improve management processes, increase security protocols, and enhance the end user experience. With the release of iOS 16 and tvOS 16 today, and the anticipated release of iPadOS 16 later this fall, Apple has once again helped organizations do exactly that. This blog will highlight key features and how they may impact you and your organization. Jamf has been reviewing the below features and will be making exciting announcements soon on how we plan to support each workflow to benefit our customers.

Manage Device Attestation

Users need to access all types of information on their devices — apps, email and websites. Historically, an organization might use a network perimeter, like a VPN or a firewall, to protect those resources. But with the changing device landscape, and more and more resources in the cloud, the security needs around how a device proves it is valid have changed. Enter Managed Device Attestation.

Manage Device Attestation proves the device’s identity. It makes sure that only genuine devices are able to connect to an organization's server and access resources, by ensuring the iOS/iPadOS identifier (UDID and Serial Number) is authentic and hasn’t been altered or misled by an attacker.

By enhancing the DeviceInformation MDM command, and incorporating more support for the Automated Certificate Management Environment, or ACME protocol, Apple is able to build up the security of managed devices through attestations. The DeviceInformation attestation lets an MDM server know that a device exists and has certain properties. At the same time, the ACME attestation identifies the device because the ACME server issues a new client certificate that all of your organization’s servers already trust.

This update impacts enterprise organizations across their security, identity and management ecosystems, progressing the way organizations keep devices secure and trust them to access corporate information.

Enrollment Single Sign On

User enrollment has seen exciting improvements over the last few years, including the introduction of extensible Single Sign-on in iOS 13 and Account Driven User Enrollment in iOS 15 and iPadOS 15. This year, with the advent of iOS 16, and soon iPadOS 16, Apple continues to improve both the user experience and security of enrolling devices into MDM with Enrollment Single Sign-on (SSO).

This method, for personally owned devices – also known as Bring Your Own Device (BYOD) – allows users to access company resources with a single authentication, using their Managed Apple ID and cloud identity provider credentials. What is needed for Enrollment SSO to work? An app that supports Enrollment SSO; a Managed Apple ID created in Apple Business Manager (ABM) or Apple School Manager (ASM); an MDM that is federated with a cloud identity provider; and, your MDM server configured to validate the end user by returning app information.

Let’s break down how a user would sign in and use Enrollment SSO:

1. The user goes to the Settings app and enters their Managed Apple ID
2. They then download an app that is compatible with Enrollment SSO from the App Store, which contains the Enrollment Single Sign-on extension
3. The user signs in
4. The app then signs in where the user goes through the enrollment flow, never having to sign in again.

Important Note: Enrollment SSO will not be available at the initial launch but will be with a later update to iOS 16 and there must be a cloud identity provider that supports the Enrollment SSO workflow.

Rapid Security Response

Another exciting security improvement for the enterprise, Rapid Security Response, brings security updates to devices and users faster than we have seen in the past. How? Because Rapid Security Response does not need to comply to the software update delay mechanism. This means that a response is included in the next minor update (iOS 16.1, for example). On top of that, any update introduced by Rapid Security Response will not adjust the firmware of the device or need the device to reboot.

This will bring peace of mind to Security and IT teams that can know important security updates are getting to users faster, thus tightening protocols across their organization.

Declarative Device Management

The next feature to highlight sends MDM from its historically reactive management approach to a proactive management approach. It’s called Declarative Device Management, and it allows devices to act more proactively within the confines of policies from its management server. A device will discover its own state changes and take action based on defined criteria, rather than waiting to hear back from the management server.

Initially previewed at WWDC 2021 for iOS and iPadOS, Declarative Device Management will revise device management for stakeholders across enterprise organizations. It supports modern, complex management strategies; enhances the overall user experience when using managed devices; relieves IT Administrators of performing tedious tasks; and, finally, permits devices to be the operator in their own management state. This new functionality, reintroduced at WWDC 2022, will initially support iOS and iPadOS devices enrolled through user enrollment.

Remote Authentication

The enhancements to Remote Authentication bypass the need for shared iPads to remotely authenticate every seven days. With iPadsOS 16, any existing users of the shared device will only need to use local verification to get access. If an IT Admin wants to continue to enforce a remote authentication, they can still set the never of days via the OnlineAuthenticationGracePeriod key.

Passkeys

Yet another exciting security update, passwords are becoming a thing of the past with Passkeys. Passkeys are an authentication technology that helps solve security issues like vulnerable passwords or phishing. When a user signs in to an app, they can add a passkey to that app’s account. Once added, the user's device has a new, cryptographically solid key for that account, which is stored in the iCloud Keychain. This means the passkey will sync across all devices running iOS 16. Passkeys are an exciting technology in addition to device and patch management tools, endpoint protection and web filtering technologies that work together in a layered approach to protect sensitive data for businesses.

Apple releases are always an exciting time for Apple IT and Security Admins. At Jamf, we look forward to exploring how we can support these new features and help our customers integrate them in their device ecosystem.