With WWDC firmly in the review mirror, I thought I would highlight the top 5 new enterprise features coming to macOS Sonoma that are great for IT Pros.
5. Managed Apple ID + Account Driven User Enrollment for macOS = BYOD bliss
In macOS Sonoma, Managed Apple IDs can be with use in conjunction with Account Driven User Enrollment. This enables the user to use their Managed Apple ID to enroll into MDM and get access to organizational resources and apps. Any data created by corporate apps are cryptographically stored within the App Container separate from non-corporate data. Upon unenrolling or an MDM Wipe command, the apps and data are removed.
4: Updates to Setup Assistant
Delivering a brand-new device to an employee that is easy to setup is the nirvana most IT Pros strive for. This does mean the employee may not follow instructions, a system or process may fail, or the user could experience some other transient issue interrupting setup. In Sonoma, Setup Assistant will address some of these scenarios as it gets the ability to enforce specific actions during Automated Device Enrollment. This includes the ability for an MDM Provider to enforce FileVault encryption during Setup Assistant. Sonoma can also require a minimum OS version prior to full enrollment into MDM. If the user does not meet the OS requirements, they are entered into an upgrade or update path prior to completing enrollment. Lastly Automated Device Enrollment will now restart Setup Assistant if the user managed to get around Setup Assistant. This ensures organization devices become managed, where in the past the user could simply dismiss the push notification.
3. Declarative Device Management
Declarative Device management was announced at WWDC 2021 and is coming to Sonoma. For an overview of Declarative Device management check out WWDC 2021 session Meet Declarative Device Management, here. Something really exciting with declarative device management is the ability manage core UNIX system functionality. In Sonoma, an MDM provider can leverage the the com.apple.configuration.services.configuration-files configurations declaration to manage ssh, Apache httpd, sudo, PAM, CUPS, bash, zsh. The MDM provider creates a configuration “package”, signs it, and the client downloads to the configuration to a secure tamper resistant container, that then applies the configuration the IT Admin set. And boom…managed UNIX functionality via Declarative Device Management.
2. PassKeys
Passwordless technologies like FIDO are critical to securing your organization apps and services. In Sonoma, managed Apple IDs are now issued a PassKey for work. The Passkeys are kept separate in an iCloud Keychain associated with the Managed Apple ID.
1. Platform SSO
Lastly, the biggest feature in my opinion is, on the surface a small one, but in actuality is perhaps the most significant. In Sonoma you are able to create local user accounts from a IDP like Entra ID. This allows for a user to login at LoginWindow using your organizations credentials. No more need to bind labs or shared devices to Active Directory! You can further use the IDP to set authorization on macOS, using AuthorizationGroups to permit the user to modify settings in macOS. This should effectively be the final nail in the coffin for AD support in macOS imo.
There you have it. My top 5 features coming to macOS this fall for IT pros!
Bonus Points: Managed Apps is exciting
Sonoma supports managed package installs via MDM, and now will mark any applications inside the application bundle as managed when deployed to /Applications. Additionally, when the application is deployed via MDM the data is stored separately!