Transcript
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
>> TODD FERNANDEZ: Good morning
and welcome to session 301.
I'm Todd Fernandez, and I manage
Apple's device management tools
engineering teams and help
coordinate our efforts
across the company
to support deploying
and managing Apple devices.
I'm excited to be here
with you this morning
to represent the many teams
across Apple that have been hard
at work since we last met
and introduce what's new
in managing Apple devices.
Apple's commitment to education
and enterprise goes back
to the beginning of the company.
Serving the needs of educators
and students has been
an important part
of Apple throughout its history.
Today, there's a whole new world
of devices and content available
to teachers and students.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Technology can now be completely
integrated, both inside
and outside of the classroom.
But those devices and content
are also critically important
in the enterprise.
Though Apple's success
in the enterprise today
dwarfs any past successes,
Apple's interest in fostering
increased productivity
and enterprise started a long
time ago with the VisiCalc
on the Apple II and
continues through the myriad
of solutions now based on
iPhones, iPads, and Macs.
From the factory
floor to the office.
So how can we make it
even easier for schools
and businesses to take full
advantage of everything
that the Apple ecosystem offers?
Since the introduction of iPhone
and accelerating with iPad,
Apple has created key
technologies and services
to enable schools and businesses
to make the most
of their devices.
This year we are building
on that foundation
with a special emphasis on
shared device deployments.
Now, I need to take a moment
for a brief aside here.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Now, I need to take a moment
for a brief aside here.
I likely will be referring
to these two programs
by their three-letter
acronyms, DEP and VPP,
throughout this presentation,
but I owe marketing a dollar
every time I call a Device
Enrollment Program a dep. If
I slip, don't give me away.
I appreciate it.
All these device management
features really boil
down to helping you spend less
time with your devices looking
like this and more
time with your students
and employees using them
to do things like this.
Now, today we are going to cover
the entire deployment process,
highlighting all the new
features in both OSs,
the services and
tools along the way.
The first step is to enroll your
devices for remote management.
Of course, the best way
to do that is using DEP,
the Device Enrollment Program.
Before we jump into the
new features, though,
I want to take a moment
to highlight two changes
that have already taken place.
The first is that we've expanded
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
The first is that we've expanded
from our initial
launch in two countries.
The program is now available in
26 countries around the world.
And we've dramatically
shortened the time it takes
to get replacement
devices into the program.
So that's great.
Now let's talk about what
is new and coming this year.
The first feature I want to talk
about is called Enrollment
Optimization.
You might be thinking,
what does that mean?
It's actually very simple.
This is a way for the MDM
server managing the device
to keep the device
in Setup Assistant
until it is fully configured.
This ensures that before
a user can use the device,
all the settings,
accounts, and restrictions
that the organization
wants to have
in place are actually in place.
So how does it work?
There's a new key that is
part of the DEP settings
that specifies that you
want the device to wait
until it's fully configured.
When the device obtains its
Device Enrollment Program
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
When the device obtains its
Device Enrollment Program
settings from the service,
when it is enrolling
with the MDM server, it passes
that state back to the server.
The server then knows it can
take as many MDM commands
and install as many
configuration profiles
as necessary to fully
configure that device.
Once the device is
fully configured,
the server sends a New
Device Configured command
to the device, allowing
it to exit Setup Assistant
and be used by the end user.
This is available in both
iOS 9 and OS X El Capitan.
Next I want to talk about
a feature specific to OS X
that gives you more control
over how accounts are created,
or not created as the case
may be, during enrollment.
In fact, you can now prevent
user creation entirely
if you just want to use
network accounts on your Macs.
This works great with
Enrollment Optimization
if you set a passcode policy.
That policy will be enforced
when the user is creating
their new account.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
when the user is creating
their new account.
One of the most important
changes is that now instead
of the user creating an admin
account during DEP enrollment,
you can specify that that
account will be a standard
account, which is typically
what you want in education.
However, because
OS X, of course,
requires an admin account to be
on the system, if you specify
that the standard
account will be created,
you can also create an admin
account behind the scenes
that you can later use
for remote management
via ARD or other tools.
And you can optionally
hide that admin account
from any standard
users on the system.
All these settings can be
configured using a new MDM
command called Setup
Configuration, which works well
in conjunction with Enrollment
Optimization [applause].
>> TODD FERNANDEZ:
This is great.
It will be very key in
education in particular.
Now let's turn to iOS 9
and to a feature again
with a somewhat ambiguous
name, but I'll explain.
Also very simple to explain.
Automated Enrollment is a
way to enroll your devices
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Automated Enrollment is a
way to enroll your devices
in MDM using the Device
Enrollment Program
without anyone tapping
on the device.
How does it work?
Well, the first step is you
configure your DEP settings
like you would today,
but instead of having a
user get the device and walk
through the Setup Assistant,
you will connect the device
to Apple Configurator,
which will tell the device
"configure yourself
using your DEP settings."
The device obtains
those settings
and fully configures itself
all the way to the Home screen.
It's ready for the user to use
without anyone touching
the device.
This is a great feature
for shared deployments
in particular, enabling you
to configure a cart of iPads
without touching them beyond
connecting the USB cable.
This is not a new
feature per se,
but we've expanded the number
of Setup Assistant panes
that you can choose
to skip as part
of your Device Enrollment
Program settings.
Over the past year, we
rolled out these three panes,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Over the past year, we
rolled out these three panes,
but in iOS 9 you can also remove
the new Move From Android option
on the setup pane if
your enterprise wants
to make sure there's no
corporate data leaking
from their Android devices
while they're transitioning
to an iOS device.
>> TODD FERNANDEZ:
Finally I would
like to highlight something
I mentioned last year, that,
analogous to what the
MDM server can obtain
from the iTunes Store,
to get the Store Bag,
which tells you all the
APIs and URLs you can use
to control the VPP
program and other tasks,
MDM servers can implement
what we call MDMServiceConfig,
which will tell other device
management tools, for example,
Configurator, what kinds
of services it provides,
the most important being
the DEP enrollment URL.
Why is that important?
In fact, the Profile
Manager version
that we seeded this
week supports this,
and Apple Configurator we
seeded this week supports it.
And enables Configurator user,
instead of having to type
in the entire URL, can
just type in the host name
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
in the entire URL, can
just type in the host name
of the MDM server and
obtain the URL for the user.
So that brings us to the end
of the enrollment section.
We now have our devices
enrolled, they're ready
for remote management.
The next thing we want to
do is deploy the great apps
from the App Store
and other sources.
Of course, there are,
what did we say yesterday?
A million and a half
apps in the App Store.
There are also a large number
of B2B apps in the App Store.
There are in-house
enterprise apps
that your organizations
may be creating,
and developers may be using
ad hoc apps to distribute,
for beta testing
or other purposes,
using provisioning profiles.
I will talk primarily today
about the first three,
but there is something
towards the end
of the presentation also
potentially relevant
for that fourth type.
There are many different ways
to distribute apps to users,
but today I'm going to
primarily focus on Apple's tools
as well as MDM in general.
Finally, there are three
different ways to purchase apps.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Finally, there are three
different ways to purchase apps.
Your users, of course,
can just go
to the App Store and buy them.
We have VPP redemption codes,
which transfer ownership
to the user.
Finally two years ago,
we introduced VPP
managed distribution
to give organizations greater
control and preserve ownership
of the apps they buy under
the Volume Purchase Program.
That's what I want to spend
our time right now on.
There are three big new changes
that I want to highlight today,
each one larger than the last.
The first is similar to the
Device Enrollment Program.
Over the past year we
expanded from 10 countries
to the same 26 countries
where the Device Enrollment
Program is available.
That's great.
But the second item I want
to mention is bigger
and builds on this.
We now have multinational
app assignment as part
of VPP managed distribution.
What does that mean [applause]?
>> TODD FERNANDEZ:
Maybe you know already!
We can go right through
this slide quickly.
What that means is you can
purchase your VPP apps in any
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
What that means is you can
purchase your VPP apps in any
of those 26 countries, but
distribute them to any country
where that app is
in the App Store.
So to make it concrete,
if you are a multinational
company headquartered in France,
you can buy all your apps in
France but distribute them
to your users in the U.S.,
Canada, or even Kenya,
as long as that app is in
the App Store in Kenya.
We think this is
going to be huge.
Believe it or not, the next
one is even bigger than this.
You can now assign your VPP mass
distribution apps to devices.
[ Applause ]
>> TODD FERNANDEZ: Thank you.
We appreciate that.
So previously you could
assign them to users,
and iTunes Store Apple ID.
What is different about
device assignments?
Now there is no invitation
process if you want
to use device assignments
because there's no Apple ID
required on the device in order
to distribute the apps,
install them, and run.
Even if there is an iTunes Apple
ID configured on the device,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
these apps will not appear in
the user's purchase history
because they are not
assigned to that user.
That further means there is
no way for the user to manage
that app, or install it, or
update it in the device UI.
It's completely at the
discretion of the administrator
and the MDM server to
control that timing.
A final difference I want
to highlight is that,
in contrast to user assignments,
where that app can be installed
on any device where that iTunes
Store Apple ID is configured,
if you are using device
assignments you need
to purchase a copy for each
device, and you app developers
out there should be
happy about that.
More sales!
But I also want to repeat,
there is no Apple ID required
on the device in
order to install apps.
[ Cheers & Applause ]
>> TODD FERNANDEZ:
Another big step forward
to make shared device
deployments much easier.
So what has remained the same?
The purchasing experience
is exactly the same.
You purchase VPP managed
distribution licenses
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
You purchase VPP managed
distribution licenses
on the VPP store, and they can
be freely reassigned to a user
or a device and later
revoked and assigned
to a different user or device.
We've also worked very hard
to make sure there's a smooth
transition for all of the apps
that have already been installed
based on user assignments.
If you wish, you can transfer
and transition that assignment
to a device assignment without
having to reinstall the app
or risk losing user data.
The app stays in place,
as does the user data.
[ Applause ]
>> TODD FERNANDEZ: So what does
this mean for app developers?
It is actually pretty simple.
First of all, early next month,
iTunes Connect will allow you
to opt in to allow your
app to be distributed
as a device assignment.
This is probably a good idea.
Remember that piece I mentioned,
you might sell more copies?
Also, if your app is
checking the receipt to ensure
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Also, if your app is
checking the receipt to ensure
that it is running on a device
where a user is configured
that is the same user
the app is assigned to,
you'll want to update
that checking to do
that to make sure it's
running on the device
that it's been assigned to.
Secondly, I want to make a pitch
that device assignments
are a great feature
for shared device
deployments, but another one
for you app developers is to
move, if you haven't already,
to store your app's data
and settings in the cloud,
whether it's Apple's
cloud with iCloud Drive
if you're document-based,
or CloudKit,
or your own cloud-based storage.
This will help your app fit in
better in shared deployments.
There are a number of sessions
this week that will show you how
to do that with our
own solutions.
I encourage you to
check those out.
I also want to highlight
a change
to the caching server
feature of OS X server,
which already caches
OS updates and apps.
It now caches also iCloud data,
including Drive documents,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
It now caches also iCloud data,
including Drive documents,
CloudKit data, and iCloud
photo library photos.
And those of you who have
now heard about App Thinning
and on-demand resources, it
will also cache those as well.
It just preheats the cache
of cloud data on your network
to give you better performance
and reduce your bandwidth,
and of course all of the data
in the cache is encrypted
using keys only present
on the client device.
So turning to what this
means for MDM developers,
if you are supporting VPP
managed distribution already,
there are a few changes
to the iTunes Store APIs,
which I'll cover in a moment.
You will use the same
Install Application command
to the device to tell
it to install this app.
You obviously should now
support assigning apps
to devices and device groups.
We've built all of
this to make it easier
to centralize the app's
management workflows.
It will be much more reliable
with device assignments
to be able if you wish to unify
the assignment in the Store
with the installation
command to the device.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
with the installation
command to the device.
So what are the changes for the
Install Application command?
Well, if the app is not
installed, it will install it.
If it already has been
installed by the MDM server
and is managed, it
will update it.
If the user already
installed the app so it's
in an unmanaged state, the
installation will fail,
so your server will
need to handle that case
and respond appropriately.
For those of you who are already
supporting this for OS X,
hopefully all of you, for
device assignments you want
to use the same purchase method
you have been using on OS X,
purchase method one for
iOS device assignments.
That's the command
to the device.
Now let's turn to the
command for the iTunes Store
to update its records on which
app is assigned to which device.
There are two new APIs that
should make implementing support
for VPP managed distribution
much easier.
The first supersedes the
separate commands to associate
and disassociate
licenses with users.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
and disassociate
licenses with users.
And it allows you to, with
one call for a single app,
to associate with any
number of users or devices
and disassociate any
number of users or devices.
This will make it
very easy to implement
that smooth migration
I mentioned earlier.
The second API gives you
an easy way to get the list
of apps the organization has
purchased, including the number
of licenses of each app
that they have purchased
without having to
fetch the entire list
of every single license
they purchased.
This will make it much easier to
build a responsive app library
in your admin console.
Moving on to an existing API
that has gotten several
new fields.
There are max limits for
the number of licenses
that manage VPP licenses,
API just mentioned.
You want to respect these values
when you're calling that API
to not call with
more than that number
of licenses in a single call.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
of licenses in a single call.
We also have added a new
Retry After header because,
how can I say this delicately?
I'll be blunt.
Some of you, and we know who
you are, have some MDM solutions
that let's just say they
send a few too many requests
to the iTunes store.
We need you to fix that but
also respect this header
because if your solution
continues to do that,
we will send this header and
we may, if you ignore it,
create longer delays in
rejecting your commands
and potentially even suspend
the account of your customer.
So please, adopt this.
All right.
So moving away from strictly
VPP managed distribution
to some more general
app distribution topics.
There are a few things
that are new.
Really, they are
just more convenient.
The first is reiterating
the point I made earlier
that we've made a very
smooth migration from user
to device assignments to leave
the app and data in place.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to device assignments to leave
the app and data in place.
Secondly, if the app has
already been installed unmanaged
by the user, it is now
possible to convert that app
to managed state without
having to reinstall
or lose user data [applause].
>> TODD FERNANDEZ: I'll give
you the details in a moment,
but the third change is that
you can now install apps via MDM
or Configurator even if
you disabled the App Store.
Great improvement for
education in particular.
How does this work?
Changing an app from unmanaged
state to managed state is
as simple as sending a new
Install Application command,
with this new field, Change
Management State equals Managed.
And this will happen silently
on a supervised device.
That's it.
If it's an unsupervised
device, you can use this,
but the user will be
prompted to accept the change.
Once that change has happened,
managed open in will consider
that app to be managed and
all of that data will be
within the managed sphere,
just as if it had always been.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
within the managed sphere,
just as if it had always been.
If the app is not
installed at all,
and you're passing this call,
it will still install
the app as a managed app.
That's great.
This works for App Store apps,
all the different types of apps.
Let's talk about changes
for enterprise apps.
We've created in iOS 9 a new
UI flow to make it easier
for the user to understand
when they are installing
an enterprise app
from a new developer.
I'll show you what
that looks like.
We also made it easier for
you to avoid your users
from ever having to see that
great new user experience
because you can prevent
them from trusting new apps
from other developers so that
they can only use your in-house
enterprise apps.
And if they have enrolled
with your MDM server,
they have implicitly given their
trust to you as a developer,
and so any apps that
you install the MDM
that are your enterprise
in-house apps will be
installed silently.
[ Applause ]
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
[ Applause ]
>> TODD FERNANDEZ: So if
it is an enterprise app
from a developer that
they haven't trusted yet,
what does that look like?
Well, it looks like this.
After they installed the app
and launch it, they can dismiss
that alert and then switch over
to Settings and the profiles
and remote management
area of Settings,
which was changed quite a
bit and improved in iOS 8,
they can trust the app.
And that's it.
And then any further apps
from that developer will
be automatically trusted,
but they can also always come
back here and remove that trust.
It's just that easy.
Let's now turn to B2B apps.
Those of you who have
worked on MDM console
or have used one know
that it's really great.
You can have an app library
that has the nice app metadata
with the icon, the app name,
and any other details about it.
But if it's a B2B app, it
looks something more like this.
Wa Wa. Well, I really
have good news for you.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Wa Wa. Well, I really
have good news for you.
Later this summer
you will be able
to get the same app metadata
for B2B apps that you can
for App Store apps today.
So you can make a nice
experience for your users.
What's more, that will also
allow you to get the metadata
for any apps that have been
removed from the App Store.
I thought you would be
more enthusiastic about it.
Where are all the MDM
developers [applause]?
>> TODD FERNANDEZ: All right.
At this point, we reached the
end of our distribution section.
I would like to ask Shruti Gupta
to come up here and demo a bunch
of these features on Macs
running OS X El Capitan.
Take it away.
>> SHRUTI GUPTA: Good
morning, everyone.
I am each excited to show
you some of the cool features
that Todd talked about.
The first thing I will demo
are the new enhancements
that we have made in account
creation and password policy.
So here is my profile
manager in OS X server.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So here is my profile
manager in OS X server.
I am using this profile manager
server as my MDM solution
where I have a couple of
Macs that are registered
in Device Enrollment Program.
If you look at the settings,
you can see that I've
already created DEP profile
for the device group.
I have skipped all the
Setup Assistant panes except
for the local account setup.
This is a new feature
that would force the user
to create a standard
user account.
Since OS X requires
an administer account,
I provided administrator
credentials here.
You have the ability to show
or hide this administrator
account from the user.
For today's demonstration
purpose I will hide the
administrator account.
I have also configured a
passcode profile for these Macs
that would require the user
to use a complex password
during this setup time.
What does this look
like on the client?
Let's take a look.
So here is my Mac that
is registered in DEP
and has been booted for the
first time OS X El Capitan,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
and has been booted for the
first time OS X El Capitan,
mimicking out-of-box
user experience.
Let's go through the setup.
I select the United States
for my country, U.S. keyboard.
Here we are at the configuration
pane, which you will see only
if the systems are configured
in DEP. So we come to them.
Now, the MDM server is
prompting me to authenticate
that my directory
server credentials.
I will enter my user
name, Shruti,
and my password, hello kitty.
So what it is doing right now,
it is enrolling this
Mac in the MDM.
It is going to fetch all the
configuration profiles ever
configured for this
Mac from my MDM server.
We are at the user account pane.
You will see we've populated
some of the information
from the previous login.
I'm going to go ahead and enter
my full name here, and let's see
if it likes my hello
kitty password.
Oh, looks like I need to use
a more secure password based
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Oh, looks like I need to use
a more secure password based
on the passcode policy
that we set earlier.
I will enter a new
password here.
What is cool about this is, it
gives you immediate feedback
as I'm entering the password.
I'm going to complete the
Password Verification field
and continue.
So it is creating the
user account as well
as the hidden administrator
account in the background.
I'm going to select the time
zone now, and you'll notice
that I didn't have
to go through any
of the location services pane
or the iCloud sign in pane
because we configured it to skip
all those Setup Assistant panes.
Here, our account is all set up.
Let's see what kind of
account really got created.
I will launch System
Preferences,
go to Users and Groups.
You can see it is a
standard user account.
The administrator
account is not visible.
Just to prove that administrator
account really got created,
I'm going to unlock the pane
with my administrator
credentials
that I provided on
the MDM server.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that I provided on
the MDM server.
Ta-da! You can see that
it's unlocked successfully.
The next thing I'm going to demo
is one of the coolest features,
and I'm sure many of you
have been waiting for,
being able to assign
VPP app to the devices
without requiring the user to
log in with their Apple ID.
So I'm going to push a VPP app
to this Mac, which is going
to be Apple Configurator app.
So while it pushes
the app, let's see,
check in the App Store
that I'm not signed in.
So we look at the Store menu.
You can see that I'm
not signed in here.
If you notice, the app
has already started
to install in the LaunchPad.
There is our Apple
Configurator app.
Thank you, back to Todd.
>> TODD FERNANDEZ: All right.
Thank you very much, Shruti.
So what did we just see?
Shruti installed a passcode
policy before the user account
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Shruti installed a passcode
policy before the user account
was created, and it
was respected while
that user account was created.
It was a standard user account
that was created instead
of an admin account.
She also created an admin
account that she could use
if she needed to log in directly
on the Mac or remotely later.
She also showed you assigning
a VPP app to a device.
So let's move on to the third
section of today's session
and talk about ongoing
management of devices.
First, I would like
to highlight the fact
that iOS 9 supports
Exchange ActiveSync 16,
specifically a number
of improvements
to calendar support,
including improved reliability
for a number of common tasks
and support for attachments
in physical locations.
Now let's turn to our own
MDM protocol and profiles.
There are a number of
new commands and queries,
and the ones I want to highlight
at the top, there's a new query
that tells you what software
updates are available
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that tells you what software
updates are available
for that device and a command
that will tell the iOS device
to update to the latest
iOS for any devices in DEP.
[ Applause ]
>> TODD FERNANDEZ: Including
being able to tell the devices
to download and stage the update
so you can then command them all
to update at the same time.
I've already talked about the
remaining commands and queries
in the enrollment section
and the distribution section.
So I won't spend any
more time on those.
Now let's turn to what's new
with configuration profiles.
There are two new payloads,
network usage rules,
which allows an organization
to control how their
managed apps use the network,
whether they're allowed
to use cell data or roam.
The OS X server account
payload configures whether apps
that support the document
provider API can access
documents on their
OS X server account.
There are a number of
other settings added
to existing payloads,
including a lot of changes
in the IKEv2 VPN connection
type, more about that later,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
in the IKEv2 VPN connection
type, more about that later,
and a large number
of new restrictions.
So let's look at those.
There are a handful
that are applicable
on unsupervised devices,
including the ability
to prevent users from trusting
additional enterprise app
authors that I mentioned
earlier.
We also now allow you to
tell AirDrop to be treated
as an unmanaged destination
[applause].
>> TODD FERNANDEZ: All right!
But the final thing I want
to highlight here are
the three restrictions,
third from the bottom,
modify device name,
passcode, and wallpaper.
These are particularly useful
in shared device deployments.
If you have, say, some
might say creative,
others might say malicious,
students who like to mess
with their devices, you
can now prevent them
from changing the device
name, setting a passcode,
or changing the wallpaper.
[ Applause ]
>> TODD FERNANDEZ:
One final note
about configuration profile
restrictions in iOS 9.
There are a number
of restrictions,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
There are a number
of restrictions,
these nine in fact, created
before supervision existed.
And in fact, they really
should only be applicable
on supervised devices.
So this is your early warning
that they are still applicable
or they still are honored on
unsupervised devices in iOS 9,
but in an iOS version
to be named later they
will be only honored
on supervised devices.
Now let's turn to OS X.
Just like in iOS 9, OS X El
Capitan gives you a new query
that tells you what software
updates are available
for that Mac, and you can
tell it to install one or more
of those updates if the Mac is
in DEP. The device information
query achieves parity with iOS
and you can now obtain, if
you are using user assignments
for VPP managed distribution,
you can now see
which account is
configured on that device.
We already talked about
setup configuration
and device-configured commands
in the enrollment section.
There's also an active
managed users query,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
There's also an active
managed users query,
which will tell the server
which users are logged in
and actively using the
Mac so you can clean
up obsolete unused sessions.
There are also some changes
to configuration profiles.
There's a new payload to
configure an Ethernet proxy
and a number of settings
for other payloads,
including a handful
of restrictions
that were previously
available on iOS
and now also are
available on OS X.
As I alluded to earlier, there
are a lot of changes in VPN
and enterprise network
connectivity.
I encourage you to come
and checkout their
session Friday morning
and learn all about that.
I will not steal
their thunder here.
That brings us to the end
of the management section.
I would like to ask
Shruti to show you some
of these features on iOS.
[ Applause ]
>> SHRUTI GUPTA:
Thank you, Todd.
Hello again.
So I'm going to demo some of
the new features on iOS now.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So I'm going to demo some of
the new features on iOS now.
So here is my device
that is running iOS 9.
It is already enrolled in DEP.
If you look at the settings,
you can see that I can currently
set a passcode on this device.
I can change the wallpaper.
And if I go to General,
About, Name,
you can see that I can
edit the device name too.
Let's go to restrict these
settings using our MDM server.
So the server is now sending the
push notification to the device.
Keep your eyes on the screen
as the settings get updated.
There you go, you can see
that I can no longer set
a passcode on this device.
I cannot change the wallpaper.
If I try to tap on
the Name field,
I cannot change the
device name either.
Earlier we saw VPP
app assignment on Mac.
Now we are going to see VPP app
assignment on the iOS device.
I am going to push a
VPP app to this device,
which is going to be WWDC app.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
which is going to be WWDC app.
Let's confirm I'm not signed
into the App Store here
while it's pushing the app
from the server.
I go to App Store Settings,
you can see that I'm not
signed in with my Apple ID.
If you go to the Home
screen, you'll notice
that App Store does
not exist there.
That is because I
restricted the App Store
from installing apps
on this device.
>> SHRUTI GUPTA: I guess
I'll give it back to Todd.
Thank you.
[ Applause ]
>> TODD FERNANDEZ:
Thank you, Shruti.
You trust us, right?
It works great.
All right.
So what did Shruti
just show you?
Again taking advantage of
the three new restrictions
to prevent students and
others from changing things
on the device that you
don't want them to change,
and being able to assign apps
to devices and install apps
on devices even when the
App Store is disabled.
So let's turn to
our fourth section
and talk a few minutes
about tools.
The first tools that
I want to highlight,
I hope that you MDM
develops are aware of.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
I hope that you MDM
develops are aware of.
If not, this is your moment.
We created over the
past year simulators
for both the Device
Enrollment Program
and the Volume Purchase Program.
It allows you to
simulate large numbers
of devices hitting
your server as well
as all the service errors that
may be difficult to simulate
in any other way and
test your handling
to make sure it's robust.
Both simulators are
available for download
on the Developer portal,
and we've released
new versions this week
that support all
the new features
that we talked about today.
Please, download and
use them to make sure
that your implementations
are as robust as they can be.
We use them to test our own
device management tools.
For example, Profile
Manager, which, of course,
has been updated to support
all these new features.
Shruti showed you its support
for several of them today.
Apple Configurator plays a role
in automated enrollment using
the Device Enrollment Program.
I want to talk about
Configurator.
Here is Configurator.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Has the three workflows.
Prepare, you can configure
how the devices are prepared
and supervised, and assign them.
It was initially the only
way to supervise devices.
You can install VPP apps
using redemption codes.
You can install profiles.
It maintains and
builds up a database
as you supervise
devices, and import apps
from iTunes, and
create profiles.
We received feedback
over the last three years
and learned a lot about
managing iOS devices
over the last seven years.
I am thrilled to tell you we
have completely reinvented Apple
Configurator and created
Apple Configurator 2.
[ Applause ]
>> TODD FERNANDEZ: So
what were our goals
in creating Apple
Configurator 2?
We wanted to invert
the user experience
and put your devices
front and center.
That's what you are looking at
in your cart or on your desk,
and show you the state
your devices are in,
which makes it easier for you
to understand what you can do
with them and what
is going to happen.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
with them and what
is going to happen.
We've broken apart the workflows
and given you discrete tasks
so you can perform
exactly what you need to do
on a specific group
of devices right now.
While at the same time
making it very easy
to combine those discrete
tasks into custom workflows
to prepare your devices
and manage them just the
way you want [applause].
>> TODD FERNANDEZ: We
also heard that many
of you are using multiple
Configurator stations,
some even hundreds in a
large school district.
You want to better be able to
share data between the stations
and freely move devices
between them.
We also of course want Apple
Configurator to be a great tool
for managing a small
number of devices
in a classroom, or
a cart, or a lab.
But we also want it to
be a great companion
to the Device Enrollment
Program and an MDM server,
which is doing the bulk
of the remote management.
But you might want to
use Apple Configurator
for a few tasks here and there.
Instead of me talking
about it anymore,
I would like to invite
Enrique Osuna
to show you Apple
Configurator 2.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to show you Apple
Configurator 2.
[ Applause ]
>> ENRIQUE OSUNA: Thanks, Todd.
I'm excited to be
here to talk to you
about Apple Configurator 2.
Why don't we go ahead
and get started.
The first thing you'll see
when you launch Apple
Configurator is the
Devices window.
This Devices window has all
of your connected devices.
Each of the connected devices
are represented by this icon.
These particular
icons have an image
of the device's Home screen.
This is Configurator's way
to tell you these devices
have been prepared.
Everywhere in Configurator where
you see a collection of icons,
you can also view the
same data as a list.
You can get there by
clicking on the View button
in the toolbar and
clicking on List.
Here, you see the
same connected devices
with additional information.
To go back to the collection of
icons, click on the View button,
and back to Collection.
One of the key features that
Todd mentioned was the ability
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
One of the key features that
Todd mentioned was the ability
to perform discrete tasks
on connected devices.
These tasks are found
in the Actions menu.
In the Actions menu you can
do things like add, remove,
modify existing content as well
as back up and prepare devices.
We will talk more about
prepare in a second.
In the Devices window you
see a big toolbar at the top.
The toolbar has all of the
common actions of Configurator,
such as the Update button here.
In the upper right-hand corner
of these connected devices
you see this big red badge.
What this red badge indicates is
that these devices
require an update.
I'll go ahead and see what
updates are available.
Let me select all my devices.
Click on the Update
button in the toolbar.
Now what Configurator is doing
is contacting the iTunes Store,
figuring out if there's
any iOS or app updates.
Now, you can see that
Configurator has identified
that the WWDC app on my
devices need an update.
So I can update that app by
clicking the Update button.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So I can update that app by
clicking the Update button.
Configurator is contacting the
Store, downloading the apps,
and actually installing
them onto the devices.
For those who didn't notice,
I didn't have to launch iTunes
in this entire transaction.
[ Cheers & Applause ]
>> ENRIQUE OSUNA: Configurator
no longer has a database of apps
that you have to
manage or maintain.
Now, as Configurator is
finishing up the app install,
you'll notice the big
red badge that was
in the upper right-hand corner
should start disappearing
here shortly.
This is an indicator that
these devices no longer require
an update.
Now, right before
this presentation,
I was actually having some
problems on one of my pads.
It was probably that one, trying
to get on to the WiFi network.
Let's look at what
might be going on.
If I double-click on
one of these devices,
Configurator launches you into
this new UI that allows you
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Configurator launches you into
this new UI that allows you
to see some information
about your device.
You can find things like the
device's name, serial number,
as well as organization
information.
In the left sidebar,
you can find apps.
These are the apps
actually installed
on my device, as
well as profiles.
These are the profiles that
are installed on my device.
Unfortunately, this device
is missing my WiFi profile.
I'm sure I have other
devices in my cart
that are missing
a profile as well.
Let's go ahead and see if
we can't figure it out.
I can go back to all
my devices by clicking
on the Back button
in the toolbar.
Here are my connected devices.
If I go to the Search field
in the upper right-hand corner
and start typing WiFi,
Configurator offers me
this fancy suggestion
of all the devices that have
the WiFi profile installed.
The problem that I have is not
which devices have the
profile already installed.
It's the devices that don't
have the profile installed.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
It's the devices that don't
have the profile installed.
If I click on the token
in the Search field
and it says profile
is not installed,
Configurator will show me the
two pads missing the profile.
Let me fix the problem.
I'll select both devices,
click on the Add button
in the toolbar, and
click on Profiles.
Configurator 2 no longer
has a database of profiles.
These profiles can be found
anywhere on your disk.
Let's navigate to the desktop.
Here I have my WiFi profile.
What is neat, you can have these
profiles on mounted volumes
and even in your iCloud drive.
Now that Configurator is done,
I can clear the Search field
and I can see my
connected devices again.
Another cool feature
of Configurator 2 is the
ability to tag a device.
Tagging a device allows you to
create device groups, but again,
without a database of devices.
I can show you that right now.
If I select a couple of these
devices, go to the toolbar,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
If I select a couple of these
devices, go to the toolbar,
and click on the Tag button
and select a few of these tags.
Press the Return key.
What Configurator
is doing is writing
that tag to these devices.
What is neat about the tags,
it is actually written
to the device.
When you transport this device
to another Configurator station,
those same tags appear
there as well.
If I go back to the
same Search field
in the upper right-hand corner
and start looking for my tag,
I start getting a
suggestion, fourth grade,
I'm going to go ahead
and click on that.
Now Configurator is
showing me just the pads
that are tagged with
fourth grade.
Right under the Search field --
[ Applause ]
>> ENRIQUE OSUNA:
Under the Search field,
there's a Save button.
Configurator allows me to save
this search for later use.
Let me click on the Save button.
You'll notice a new entry in
the favorites bar right here.
Now, whenever I add
another device
that has the fourth grade tag
attached to it, it will appear
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that has the fourth grade tag
attached to it, it will appear
in this particular view.
So one last thing that I want
to do is rename my devices.
Let's go back to all devices
right here in the favorites bar.
And let me select
all of my devices.
Go to the Actions menu.
Modify. Device name.
Like Configurator 1,
Configurator 2 can
rename your devices.
We offer you an opportunity
to provide static text.
Let me go ahead and give
it some static text.
And in Configurator 1,
we introduced a feature
that allowed you to append
an autoincrementing number
to the field.
In Configurator 2, we kind
of let you do that too,
but we do that through what
we like to call a token.
These tokens can be put
anywhere in the name.
Here you see the
autoincrementing number.
You see other information
about the device,
like the device's serial
number, type, and capacity.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
For this demonstration,
I like to use type
and the autoincrementing number.
Now I click on Rename.
Configurator is now going
through all these devices,
grabbing those bits of
information off the devic,
and creating a name and putting
it back on to the device.
As you can see, my devices are
named Townships Schools iPad 1
through 5.
All these devices
are configured.
I have a brand-new cart of
devices I would like to add.
These are pads that are right
out of the box and almost ready
to go as soon as
Configurator is done with them.
The first thing that you'll
notice is this big white Device
icon, what that represents is
that these devices are
ready to be prepared.
I would like to show you
that prepare right now.
Let me click on one
of these devices.
Click on the Prepare
button in the toolbar.
In Configurator 2, there's
two prepare workflows.
One is manual, and the other
is the automated enrollment
that Todd talked about
earlier in the presentation.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that Todd talked about
earlier in the presentation.
For this demonstration,
I'm going to do these
iPads using manual.
I'll click on Next.
Here is my opportunity
to manually enroll
the devices into MDM.
I don't have an MDM
server with me today,
so I will go ahead
and click on Next.
Here, Configurator is
asking me if I want
to supervise my devices
to my organization,
and I absolutely do
to take advantage
of the new iOS 9
supervise only features.
Click on Next.
This is the organization that is
associated with the supervision.
This looks good.
Next. And this final
pane is my opportunity
of skipping iOS Setup
Assistant panes
on the device once I hand
my device back to my users.
For this demonstration, I want
to not show any of the panes.
I'll go ahead and
click on Prepare.
Configurator is now preparing
and supervising these devices.
I still have to tag, add some
profiles, and add some apps
to this device, which
actually is a lengthy process.
So, what we did in Configurator
2 is automated this process
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So, what we did in Configurator
2 is automated this process
with what we call blueprints.
I'll show you what a
blueprint is right now.
If I click on the Apply
button in the toolbar,
and click on Edit Blueprints,
Configurator takes you
into this special mode where
you can create a new blueprint,
and I'm going to do that.
Click New Blueprint.
Let me give it a
name I can remember.
And press Return.
Now, what's really cool
about these blueprints is
that they act just
like a device.
Anything that I can do
on a connected device,
I can actually do
on a blueprint.
What the blueprint does,
it records those actions,
and then later on I can
replay those actions.
Let me do the first
thing, which is prepare.
If I click on the blueprint,
I press on the Prepare
button in the toolbar.
Configurator offers me the
same view we had earlier
when we clicked Prepare.
Configurator remembered
my last options.
And these options are fine.
I am breeze through
these setup panes.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
I am breeze through
these setup panes.
Click on Next.
Until we get to prepare.
Now that the blueprint
is prepared,
I want to add some tags.
Click on the Tag
button in the toolbar.
Select a couple of tags.
Press Return.
You will immediately notice
the Blueprints label is updated
with my new tags.
I want to add an app.
Click the add button
in the toolbar.
Apps. Now what you see here
is all the VPP apps associated
with my VPP account.
I want to go ahead
and push the WWDC app
to a part of this blueprint.
I click on WWDC, Add Apps,
and then finally I want
to add my WiFi profile.
The same Add button, Profiles,
Configurator remembered the
last spot I was at for profile.
I'll click on my WiFi profile.
Add profiles.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Add profiles.
Now, like inspecting the device,
you can also inspect
a blueprint.
If I double-click on this
blueprint, I'm presented
with this blueprint inspector.
Here you can see additional
information about the blueprint
such as its name, its
storage requirements,
here with the storage bar at
the top of this inspector,
as well as the prepare
options I highlighted earlier
and the tags that I've set.
Like a device inspector, you can
also inspect the apps associated
with this blueprint and
the profiles associated
with this blueprint.
Now I'm almost done.
I just need to rename
the devices associated
with this blueprint.
So I go back to Info.
Click on Actions.
Modify. Device Name.
Configurator remembered
my last rename options.
Those worked fine, so
I'll click on Rename.
You notice here in the blueprint
the device name options show
up here.
Great, this blueprint is done.
In the lower right-hand corner,
I can click on the Done button.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
In the lower right-hand corner,
I can click on the Done button.
Now I want to apply that
blueprint to these devices
that are ready to be prepared.
Let me select those devices.
Go back to that same Apply
button that we went to earlier.
Now you see an entry
for my blueprint.
If I tap on that entry,
Configurator is now going
through the actions I
saved in that blueprint
and replaying them
on to the devices.
This is Apple Configurator 2.
Thank you very much.
Back to Todd.
[ Applause ]
>> TODD FERNANDEZ: Thank
you very much, Enrique.
So Enrique has showed you how
to configure devices using
Apple Configurator 2,
including installing VPP apps.
I'll talk more about
that in a moment.
You can create device tags
that travel with the devices
between multiple Configurator
stations using tags.
He showed you how to
build and use a blueprint
to create a custom workflow
and replay the set of actions
that you want on any
number of further devices.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that you want on any
number of further devices.
However, there's even
more automation options
that we didn't show you here.
In addition to blueprints
in the UI,
there's also a command-line
tool.
There's a scripting library
and suite of automation actions
for you to easily integrate
Configurator's functionality
into your workflows.
[ Applause ]
>> TODD FERNANDEZ:
You're in for a treat
because Sal Soghoian is
going to talk about that
on Thursday afternoon,
how to use Automator
and Configurator together
to automate your device
management workflows.
Enrique showed you a lot of
what Apple Configurator 2 can do
but there's more.
I mentioned multiple station
support, all of those profiles
that you can find anywhere on
your Mac can be saved in iCloud
in addition to other
Configurator settings.
I mentioned the automation
tools.
While Enrique showed you the
cool additions to renaming
that Apple Configurator 2 has,
there are also some great
enhancements to being able
to set wallpaper, which
is no longer a preference,
but can be done as a command
on any number of devices.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
but can be done as a command
on any number of devices.
There are cool tricks
if you look
at the options in there as well.
Definitely check it out.
We released the beta yesterday,
and it's available for you
to download from
the Developer portal
and we will also
have it in the Lab.
That brings us to the end
of our fourth section.
And I just want to sum up
quickly for you administrators
that if you are using
wireless remote management,
use the Device Enrollment
Program
or Configurator using
automated enrollment
to get your devices enrolled
in MDM or use Configurator
to manage your devices if
you are not going to use MDM.
You can use VPP managed
distribution now not only
to distribute apps to
users but also to devices.
As I mentioned the Configurator
2 beta is available now.
Turning to developers,
again, you app developers,
please early next month in
iTunes Connect you will be able
to opt in to device
assignments for your apps.
MDM developers, please support
VPP managed distribution device
assignments, your customers
will appreciate that.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
The documentation
is available now,
and the new iTunes Store APIs
that I mentioned and talked
to you about are already
in production, ready
for you to use.
Support all the other
new features in iOS 9
and OS X El Capitan, and use
the DEP and VPP simulators
to test your implementation.
There are related sessions
this week about CloudKit,
there's an enterprise
get-together later tonight.
The VPN session on Friday and
Sal's session on Thursday.
Check them out.
There's a great website with
lots of resources for how
to integrate Apple devices
into your enterprise.
Lots of documentation
for MDM developers,
from the MDM protocol to the
configuration profile reference,
and a forum where you can
ask and answer questions.
Administrators, there's
lots of reference guides
for deploying iOS and OS X
in your organizations as well
as help for our tools and forums
to ask and answer questions
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
as help for our tools and forums
to ask and answer questions
about how to bring Apple
devices into your organizations.
Thank you for your attention
and wish you have a great show.
Thank you very much.
[ Applause ]