WWDC26: Key takeaways for Apple admins

For Apple admins, the headline is clear: Declarative Device Management (DDM) is no longer a preview of where things are going. It's where things are. And for the first time, identity is getting a declarative home too. Admins will also see meaningful improvements to device visibility, giving them a more real-time picture of their fleet than ever before.

Apple will be releasing their OS 27 public beta next month, with general availability this fall.

Here's what you need to know:

• Allow/deny binaries: Replace legacy app restriction workflows with native, binary-level control using the Endpoint Security Framework
• Privacy management: Replaces PPPC so admins can pre-configure app and website permissions and users see one consolidated prompt instead of many
• Credential management: DNS, VPN, SSO and content filter configs now reference a single declared credential so updating it once means every dependent config follows
• Package uninstall: Removing a DDM package config now removes the software too, making the full software lifecycle manageable from one place
• Platform SSO and IdP configuration: Extensible SSO moves to DDM so admins can set a trusted IdP at the device level with support for QR code, push notification and one-time code login
• Extended status channel: New real-time status signals including Device Await Config provide confirmation that declarations landed on a device before it reaches a user
• Fleet monitoring: Camera, display, Face ID and baseband health for iOS and iPadOS are now surfaced to admins for the first time

Let’s dive deeper into the releases that were shared.

The declarative shift accelerates

DDM is no longer the future; it’s the standard.

Organizations are already shipping this, and it's in production across fleets around the globe. Apple stressed that if your organization isn't using DDM yet, you're working harder than you need to.

OS 27 continues Apple's systematic migration of legacy MDM workflows to DDM. Managed Migration Assistant, keyboard settings, caching service configuration and VPN profiles have all made the move in this release. The direction is clear and the pace is accelerating.

Admins get native binary-level app control on macOS

Allow/deny binaries are, by Apple's own ranking, the most impactful IT announcement of this release. With this release, admins will be able to define exactly which applications and binaries are permitted to run on a managed device, including command-line tools. If something isn't on the list, the OS stops it from executing. Managed apps are automatically added to the allow list so you're not starting from scratch, and the declaration also replaces the legacy "allowed from" source restriction for apps, covering App Store, known developers, and other sources in a single unified policy.

This is the feature Apple admins have been asking for. App lockdown on macOS used to mean custom scripts, third-party tooling and a lot of maintenance. Now it’s a native declaration that’s defined once, enforced by the OS, with no workarounds required.

App configuration and software removal get an upgrade

Two updates were announced that close gaps that Apple admins have been working around for years.

Declarative app configuration expands to macOS 27 with support for hardware-bound keys and Managed Device Attestation. In practical terms, apps can now receive their settings and credentials from the MDM in a way that's cryptographically tied to the device. As developers adopt this framework, the experience of deploying and configuring software gets significantly simpler and more secure.

Package Uninstall finishes what the package declaration started. Previously, removing a DDM configuration left the software sitting on the device. Now removing the config removes the software too. Deploy it declaratively, remove it declaratively — the full software lifecycle managed from one place.

Permission prompts go from many to one

OS 27 delivers a unified Privacy Management declaration that streamlines the app and web permissions process. Instead of navigating a series of individual permission prompts every time an app requests access to the camera, microphone, Bluetooth, local network or location, users will see a single full-screen dialog that allows the user to click one simple button to apply all settings. Admins will be able to configure the expected permissions in advance, so the experience is clean and deliberate rather than repetitive and disruptive.

This same mechanism will extend to Safari. Admins will be able to set per-site rules for camera and microphone access at once.

Configuration management at scale

Managing credentials across a fleet has always meant touching every configuration that references them whenever something changes. OS 27 fixes that. Credentials are now declared separately and referenced by the configurations that depend on them. Which means that admins will only need to update one, and everything follows automatically.

The new declarative credential configurations that will be released: DNS Proxy, DNS Settings, Network Relay, Always-on VPN, IKEv2, IPSec, VPN plugin, web content filter plugin, content caching service, extensible SSO.

Identity gets a declarative home

The Mac login experience gets a modern identity upgrade

Platform SSO moves to DDM in OS 27, and the result is a login experience that reflects how enterprise identity actually works.

The new login UI presents a floating window overlay on the macOS login screen, enabling fully custom authentication flows through a web view. Touch ID can now be required by policy, making biometric authentication a consistent, enforceable standard across the fleet. For organizations that need more flexibility, the new web view supports passwordless and phishing-resistant options including one-time codes, push notifications, and QR code scanning, all available at the login window, screen unlock, and FileVault.

The underlying capability tying this together is an IdP configuration. Admins configure a trusted identity provider at the device level, and the entire login experience inherits it. The device and IdP login happen at once. For employees, it means one set of credentials, one login flow, and no friction between the device and the tools they need to do their work.

Authenticated Guest Mode has been extended to FileVault-protected computers, removing a longstanding barrier for shared and loaner device workflows.

Improvements to fleet visibility

Admins get a real-time view of what's on managed devices, without waiting for a device to check in.

Three features that were announced in OS 27 address a persistent gap: know what's happening on managed devices, in real time, without waiting for a device to check in.

1. Extended status channel: For the first time, admins get a reliable signal that a device was fully configured during enrollment before it reaches a user. No more assuming setup worked — Device Await Config confirms declarations landed. That confidence matters when you're provisioning at scale.
2. Fleet monitoring: Hardware health data for iOS and iPadOS devices has always existed — it just lived in a user's Settings app where IT couldn't see it. Now it's surfaced at the fleet level. Catch a broken camera or failing to display before a user reports it, not after.
3. Enhanced logging: Troubleshooting a device used to mean getting the user involved. Now admins can remotely trigger a diagnostic collection and submit it to AppleCare without the user doing a thing.

Apple services

It was announced that Apple Business is now available in more than 200 countries and regions. This is a significant expansion that brings zero-touch deployment, Managed Apple Accounts, and volume app purchasing to organizations that previously had no access.

For IT teams in those markets, this is the starting line. The same zero-touch workflows that enterprise organizations have relied on for years are now accessible globally. Apple also introduced new APIs to automate common device management tasks across blueprints, configurations, users, groups, apps and licenses. It was also noted that volume app subscriptions are coming later this fall, giving organizations the ability to distribute app subscriptions, not just individual apps.

Keynote reflections

In many ways, OS 27 feels like a “Snow Leopard” moment for the platform: less about reinventing the wheel, more about making it even better and more in tune with how people actually use their devices. For IT teams, that kind of release is often more valuable than a headline feature drop because it means the foundation your fleet runs on is getting meaningfully stronger.

And then there's Apple Intelligence. The framing at WWDC26 around applying AI with purpose, grounded in real use cases rather than capability for its own sake, is the right posture for enterprise adoption. Importantly for IT, OS 27 gives admins granular control over Apple Intelligence on managed devices. As app developers take advantage of local models and on-device processing, the governance layer available to admins becomes increasingly important. The on-device model story, where data doesn't leave the device, is the kind of AI architecture enterprise security teams can get comfortable with. That conversation is just getting started.

Getting started with OS 27 beta in Jamf

Apple continues to raise the bar for what admins can expect from a modern device platform. Secure by design, identity-aware, and easier to manage at scale. Whether you're supporting knowledge workers or frontline employees, this year’s WWDC announcements offer new ways to simplify, secure and scale your Apple environment.

At Jamf, we’re already working to bring these innovations into your hands, through beta testing, smart implementation guidance, and a platform that helps you go beyond basic management and security.