#319  7th June 2024

My WWDC Wishlist

There are a ton of WWDC wish lists and opinions, and yes, I totally lack the self-restraint to add my own. The focus of WWDC is on new features for developers, but the last few years, there have been sessions dedicated to management of Apple devices.

Managed App Store deployments

At last year's WWDC, Apple demonstrated some features and frameworks for MDM developers to improve the end user experience of installing managed Apps from the App Stores. While we are waiting for these to implemented by the various MDM vendors, there is more work left for Apple.

While Apple has been pushing developers to use subscription pricing and in-App Purchases, Apple administrators still have no means to purchase either in volume and deploy to devices or users. To work around this, developers have to provide a second, unlisted version of the App, which organizations can purchase in Apple Business Manager or Apple School Manager, or (on macOS) provide a version of the App outside the App Store.

In addition, there are entire categories of applications and tools that are still excluded from the Mac App Store. Apple hypocritically ignores some of the rules with Xcode and the Pro apps, which ask for admin privileges to install additional components at first launch.

Given that the regulations in the EU and other places seem to be putting pressure on Apple to open up the platforms and the App Stores in particular, it would be really nice to see Apple compete on the experience of both the end user and developer in the App Store, rather than with draconian rules and fees.

Login window and user identity

Last year brought some new features for the SSO experience on macOS. It has taken until just recently for the identity providers to provide solutions that aren't in beta, even though most are still have some form of "preview" attached. My wish here is that Apple realizes that while this was a great start, the overall workflow is still quite rough, especially for environments with shared device use. It would also be nice if we could use platform SSO on iPadOS.

Talking about the login window, last year we got some pretty neat animated wallpapers and screen savers and with that a login window... well... experience, which broke many existing deployment scenarios and setups. I believe most of the challenges were eventually addressed over the updates for macOS Sonoma, but it would be nice if Apple considered these deployment scenarios from the beginning. (Hah! It's a wish list, right?)

Security Benchmarks

Conforming to security benchmarks of varying strictness is a common requirement for organizational deployments. The macOS Security Compliance Project has done amazing work in gathering and documenting many of these requirements for macOS and iOS in a single location and providing profiles and scripts to manage the settings.

As Apple is increasing the functionality and feature set of DDM, they should pay special attention to the common requirements in these benchmarks and ensure there are easy ways to manage, report, and lock these security settings. Ideally, you shouldn't need custom or generated scripts to ensure a Mac conforms to common security benchmarks.

Background login items

In Ventura, Apple introduced a new way for apps to provide a LaunchAgent, or "backgroung item." With that, came a new user-facing notification and interface in the Settings app, much to the chagrin of Mac Admins. After much feedback from the Mac Admins community, Apple provided a means to manage the notifications and prevent a user from disabling managed background items, during the beta phase.

I generally agree with this approach of transparency and notification. It also allows to bundle the agent and its configuration plist in the app bundle, which simplifies deployment and removal. However, the current implementation is incomplete. It provides no means to deploy a service running with system privileges. As is common with Apple, enabling a "background item" requires user interaction and approval. Mac Admins can fall back to the traditional deployment for a managed deployment of a background item or LaunchDaemon, but those require scripting and are poorly documented. It would be great if Apple could provide a better streamlined deployment option, not just for user-installed apps, but also for managed deployments.

There were no changes to this in macOS Sonoma, and I am curious how Apple will address LaunchDaemons and privileged helpers here, hopefully in a way that does not break all the existing solutions. Maybe, this could open the Mac App Store to a new category of apps and tools that can, through a daemon or privileged helper affect system level settings and processes.

Apple Business Manager, Apple School Manager and iCloud

There were a lot of improvements and changes regarding Managed Apple IDs (MAIDs) last year and many of them tied into Apple Business/School Manager. I do hope that the functionality and usability of MAIDs will be further improved. Maybe we will finally see the option to purchase more iCloud storage through Apple Business Manager, as well, a feature that is so far exclusive to Apple Business Essentials and the US. Some aspects of the managed account-driven enrollment workflows (ADDE and ADUE) should really be integrated with Apple Business/School Manager.

Interesting Times

Over the last few years, Apple has been consistently improving the experience and toolset of managing Apple devices and using managed Apple devices. There are certainly still some missing features and some features that yet need improvement, but as long Apple keeps up that steady pace, it will surely be an interesting "What's new for Managing Apple Devices" session next week!