WWDC2018 Session 302

Transcript

[ Music ]
[ Applause ]
>> Good morning, and welcome to
What's New in Managing Apple
Devices.
I'm Todd Fernandez, and I'm very
pleased to be here with all of
you here in the hall this
morning, as well as those of you
watching this video now or in
the future.
I'd like to cover all the things
that have changed in the past
year, since we last did this at
WWDC 2017.
But, before we dive into all of
those details, I want to take a
moment to take stock of how far
we've come.
This year, we are very proud to
celebrate 40 years of Apple in
education.
And, it's fascinating to see how
much has changed.
From the audacious goal of an
Apple 2 in every school in 1978,
to an iPad or MacBook in every
student's hands in 2018.
But, it's even more important to
consider how much has remained
the same over those tumultuous
40 years.
Apple had a unique insight into
how technology could inspire
people and unleash their
creative genius.
And, we believed technology
could help teachers deliver
unique and personalized
experiences to all of their
students.
We have never stopped believing
in this goal, and never stopped
working hard to achieve it.
Over the years, we have created
a number of tools to make it
easier for schools to put Apple
devices into the hands of each
of their students.
And, I want to highlight one of
those now.
Classroom is now two years old,
and teachers really appreciate
the power it puts at their
fingertips to accelerate
teaching and learning without
technology getting in the way.
But, we want to provide our
tools on whichever OS our
customers choose.
So, we were excited to announce
at our March education event,
that Classroom was coming to the
Mac.
And, it looks like this.
I think Classroom looks
fantastic on the Mac.
It has the same great feature
set already available on iPad,
plus some surprises.
But, instead of describing those
to you, I'd like to invite Curt
and Raheel up to actually show
them to you.
Guys?
[ Applause ]
>> Thanks, Todd.
Team's been working hard to
bring the great Classroom
experience to the Mac, and we're
thrilled to share it with you
today.
To get started, I can just go to
Launchpad, and click on
Classroom.
As you'd expect in a Mac app,
all the actions in Classroom for
Mac are available in the
toolbar, from menus, and with
keyboard shortcuts.
For example, I can hit Command-T
to bring up my teacher info.
Oh, that photo's a bit much.
Let's go with something a little
more laid back.
That's better.
I can hit Shift-Command-N to
bring up a new Class sheet.
We have all the great icons and
colors that teachers use in
Classroom for iPad.
I have enough Classes for this
demo, so I just hit Escape to
dismiss that.
In the Classes view, I can drag
and drop to rearrange my
Classes.
And, I can just double-click to
start a Class session.
In a Class session, we have all
the actions that teachers expect
from Classroom for iPad.
They're available in the
toolbar, from the Actions menu,
and of course, with keyboard
shortcuts.
And, because this is a Mac app,
and I'm demoing on a Mac, I can
use QuickTime to show you what
this looks like from a student's
perspective.
So, now on your left, we have
Classroom for Mac, and on the
right, we have Raheel's student
iPad.
Let's navigate the students to a
website.
I hit Command-G to bring up the
Navigate sheet.
Now, I could use my mouse to
pick the site to go to here.
I could also use the arrow keys.
Let's open this great National
Geographic kids' site.
So, all my student iPads are
taken to this site.
And, I can even click this link
to go to the same site in Safari
on my Mac.
Now, while I'm browsing the
site, I might find something
else I want to share with my
students, like this cool Monarch
butterfly page.
I can click the Share toolbar
item, choose to Share via
AirDrop, and in the list my
class, and any manual groups
I've created will show up.
So, I can share this page.
Another thing that I love about
having Classroom on the Mac, is
that it gives me a great way to
keep my students on task.
I can see what apps they're in
by looking at these icons next
to their avatars.
And, through these Smart Groups
that show what students are in
each app.
It looks like Raheel's getting
distracted.
Brooklyn and Ella are still in
Safari, but it looks like
Raheel's browsing the App Store.
So, I can use another cool
feature of Classroom.
If I double-click on Raheel's
avatar, I can see his iPad
screen on my Mac.
And, while I'm looking at a
student's screen, I can perform
actions on just that student's
iPad.
So, in the Actions menu, I can
choose Open App, and then
Safari, and click Open, to bring
Raheel back on task.
[ Applause ]
>> Students can share links and
files from their iPads to the
teacher, too.
For example, I can share an
image from Photos, like this
great bear picture I found.
All I have to do is tap the
Share button, and then tap
Doctor C in AirDrop to share.
>> When a student shares an item
with me, the Inbox button in my
toolbar will light up to let me
know that there's something new
there.
And, I can click to see a list
of shared items.
And, on the Mac, I can tear off
this Inbox, and place it next to
my Classroom window.
And, this is great, because I
can get at the items that my
students are sharing with me,
while still keeping an eye on
the class as a whole.
And, I can double-click to open
any shared items.
Well, that's a great bear photo,
Raheel.
>> I know, right?
It's unbearably great.
>> Indeed.
[ Laughter ]
Besides Smart Groups, I can also
create groups manually in
Classroom.
I'll hit Command-N to bring up
the New Group sheet, enter a
group name, and select the
students to include.
Manual groups are a great way to
get different groups of students
started on different tasks.
When I'm done with my class
session, I can hit End Class.
That ends my session.
I'm presented with this great
Summary view.
I can see all the apps that my
students used during class, and
for each app, a timeline of when
they were in that app.
I also see all the shared items,
like the great bear photo.
And, for each student, I get a
timeline of all the apps they
were in, and when they were in
those apps.
So, that's Classroom for Mac.
We think with drag and drop,
keyboard navigation, toolbar
items, the menus and the tear
off inbox, the teachers are
going to love the power and
convenience of having Classroom
on their Macs.
And, of course, any macOS Mojave
app would not be complete
without support for Dark Mode.
So, that's Classroom for Mac.
It's available in public beta
now, and from the App Store this
fall.
Thank you.
Todd?
[ Applause ]
>> Thank you very much, guys.
Doesn't Classroom really look
great in Dark Mode?
I think teachers are really
going to appreciate having it
here, on their Macs.
Now, while education has been
part of Apple's DNA from the
very beginning of our company,
over time we've broadened our
audience to include the
enterprise.
And, in 2018 and beyond, we want
to empower people in both
schools and businesses around
the world to manage all of their
Apple devices, from iPad to
iPhone to MacBook to Apple TV,
as well as all of their apps,
whether they're in the App
Store, or custom enterprise
apps.
With the same technologies and
tools running on whichever OS
they choose.
And, that's why today I'm going
to organize the content, first
covering all the developments
organized by the common features
available on all our OS's.
And then, continue through
capabilities specific to one or
more OS.
And, just to give you a little
bit of a legend ahead of time,
you'll see new badges up in the
upper right-hand corner on
slides where all of that content
is new in our fall releases.
There will also be specific
version badges on some slides
for things that have already
shipped in one or more releases,
and if there's a slide that has
some with version badges, and
some bullets without, everything
without a version badge is new
in a fall release.
So, with that, let's get
started.
The first thing is to get your
devices enrolled for remote
management.
And, schools use Apple School
Manager to do that.
Take advantage of the device
enrollment program to enroll all
of their devices with the
correct MDM server.
And, I'd like to bring you up to
date on all the changes in Apple
School Manager over the past
year.
First, I want to call out, is
now every student-managed Apple
ID comes with 200 gigabytes of
iCloud storage.
[ Applause ]
Definitely.
Creating more great content,
presentations and documents.
We've also made it much easier
for schools to create and
distribute passwords for those
student accounts.
We've dramatically modernized
and streamlined the experience
of purchasing apps and books in
bulk, as well as managing those
licenses over time.
Being able to transfer them from
one content manager to another,
both within a location, and to
another location, as your needs
change.
And then, finally, a big
customer request was to enable
you to set a default MDM server
for a particular device type,
making it very easy to manage
all of your Macs with one MDM
server, and all of your iOS
devices with another.
But, we didn't want to just make
all this great experience
available to schools, we also
wanted to bring it to the
enterprise.
And so, I'm pleased to let you
know that we have now created
Apple Business Manager as well.
It offers the same great
features to manage accounts,
purchase apps and books, and
manage device enrollment, with
one important caveat on the
accounts.
Apple Business Manager allows
you to create accounts for all
of your administrators to manage
these other features, but it
doesn't not support creating
managed Apple ID's for all of
your employees.
It does offer the same, great,
integrated apps and books
purchasing experience, including
the license management features,
and all of the new features for
managing device enrollment.
And, it should very familiar to
anyone who's ever seen Apple
School Manager.
To allow you to create accounts
for your administrators,
purchase and manage your apps
and books licenses, and manage
your MDM servers, including
default MDM type.
So, until this week, Apple
Business Manager has been in a
private beta.
But, I'm excited to let you know
if you haven't seen the
announcement already, we
actually launched the United
States yesterday, and our global
launch will be in two weeks, on
June 20th.
[ Applause ]
We're very excited about
bringing all of this to, this
integrated experience to all of
our enterprise customers.
So, where and when will all that
happen?
Well, today, Apple School
Manager is available in 34
countries, and that's our global
launch in two weeks.
But, we didn't stop there.
I'm very excited to announce
that in fact, this summer we're
also going to expand into 31
more countries around the world,
bringing us to 65 with support
for Apple School Manager and now
Apple Business Manager.
We're also adding book support
in Canada and Germany, which
currently only support apps.
So, I know the map looks great.
You can kind of see where the
expansion was, but I thought it
would be much easier to actually
see a list of countries, so you
can see if your country will now
have support for Apple School
Manager and Apple Business
Manager.
And, one thing I noticed,
looking at this list of
countries-- this is a World Cup
year-- that seven of these
countries actually have a team
in the World Cup, unlike, sadly,
my country, United States, but
that means I'm in the market for
a new team.
So, go Iceland.
[ Laughter ]
I wanted to tell you also about
another expansion of one of our
deployment program features.
You can add credit to your
account via purchase order to
allow you then to purchase apps
and books later.
Purchasing from either Apple or
a reseller.
And, we have just launched last
week in 10 new countries in
Europe.
Again, here's the list.
I believe that doubles our
access to this program as well.
The next slide is an evergreen
topic.
Every year we add new Setup
Assistant panes in one or more
of our OS's, and this year is no
exception.
And, we continue to want to
enable organizations to
configure the experience they
provide to their users as they
set up their devices.
So, in the spring's release, we
added a new privacy pane on all
three OS's.
We also added a new iCloud
storage pane for macOS.
And, two new panes for tvOS.
And, in iOS 12, there'll be new
panes configuring some of the
new features, some of which you
heard about earlier this week.
We want to continue to give you
that option to get your users
right to the desktop or home
screen as quickly as possible.
So, next, I'd like to cover two
updates for how MDM servers
should handle both enrolling
devices, as well as ongoing
communication with each of those
enrolled devices, starting with
Apple Push Notification service.
So, if your MDM solution is
still using the Legacy Binary
Provider API, we definitely want
you to adopt the new, modern,
HTTP/2 API, which is far more
capable and efficient.
You can read all about it in the
Communicating with APNs section
of the Networking documentation.
And, since I brought up
documentation, I wanted to take
a moment here to calm the waters
about the MDM and Profile
documentation.
The documentation team is going
through a publishing tools
transition, and the disclaimer
that you might have noticed
looking at the documentation
this week is not an indication
of any change in commitment to
providing up-to-date
documentation for all these
technologies.
In fact, the only reason you saw
that disclaimer is because we
did update both guides on Monday
for both the MDM protocol, and
the Configuration Profile
reference to cover the changes
I'm going to talk about today.
So, next topic is security.
There'll be number of these
throughout today's session.
This is something that Bob
talked about last year, that we
were going to begin requiring
transport security this year.
And, in fact, we're going to do
that in both iOS and macOS this
year.
Your SCEP server should make
sure to advertise its
capabilities, so that we know
what the highest level of
security you support, and don't
have to fall back to a lower
security encryption algorithm.
We stopped supporting DES last
year.
Definitely supports one of the
modern and much more secure
algorithms.
This year, I also wanted to give
you a note on how you can verify
that your server is ready for
this transition as we roll out
the new versions of iOS and
macOS this year.
You can use NSCurl against each
of the URL's that your server
supports, and verify that there
are no issues that the
diagnostics find.
Now, let's turn to the new
management controls, commands
and settings.
And, I'd like to start, again,
with everything that's supported
on two or more of our OS's.
You may have heard about some of
the new password features that
we're introducing in this fall's
iOS and macOS releases.
And, of course, we want to
enable you to manage them, via
profile.
So, the great new automatic
strong passwords and AutoFill
features within Safari and
within apps, we have a new
password AutoFill restriction
that also covers the existing
Safari AutoFill feature and
restriction.
We've also added a new password
sharing restriction that covers
all versions of the password
sharing feature, including the
previous WiFi password sharing.
And, this restriction prevents
you from sharing your password
with others.
The last bullet on the slide,
password proximity requests.
This restriction actually is
supported on tvOS as well,
because this feature, or this
restriction, prevents your
device asking others for their
password.
And, if you didn't attend, you
can check out the video of the
password and AutoFill session
which occurred earlier this
week.
We added a new restriction to
prevent users from modifying the
Bluetooth restriction last fall.
And, in the spring, we added a
new MDM command to actually be
able to set the value of that
setting.
And, I'm even more pleased to
let you know that it's not in
Seed 1, but I saw the change go
in yesterday, that this command
will now work even if you have
that restriction in place.
And, we think this will be great
for schools deploying Classroom,
and in other situations where
you want to make sure that
Bluetooth is enabled, or
disabled, as the case may be.
Big customer request, we have
enabled OAuth authentication for
exchange accounts configured via
profile.
That's in iOS 12, and in macOS
Mojave.
And, a really big one, managed
software updates that we brought
to both OS's this spring.
Thank you.
One person's excited about that.
And when I talked-- just because
I'm excited about it, talk a
little bit more in detail.
It consists of two different
restrictions, one to enable the
feature in the first place, to
put the device so that it will
delay when the user will see a
new update once we release it.
And, an optional parameter that
you can configure the delay
period from 1 day to up to 90
days.
If you don't specify that
setting, it defaults to 30 days.
The scheduleOSUpdate command has
been supported on both platforms
for a long time, and on macOS,
it's always allowed you to
specify which update you
actually wanted to install on
that Mac.
But, in iOS 12-- I'm sorry, this
spring, in iOS, we added the
ability to specify a version
number for just the iOS version
that you have tested with all
the software important for your
organization's devices.
Wq also added a new Apple
software lookup service, so that
your MDM server can look up the
eligible versions for a
particular device at a
particular time.
And, we have documented that API
to look that up, so that your
MDM solution can populate the UI
presented to the admin.
It's in the MDM protocol guide.
Alright. And, that brings us to
the end of our common section.
And now, I'd like to talk about
some iOS-specific changes.
Again, starting with security.
Now, some of you may have heard
about this change that we
started to make in iOS 11.3, and
now it's back in 11.4.1, and iOS
12.
And, of course, we wanted to
make this manageable as well,
beyond the switch that's in the
UI in iOS 12.
So, there's a new restriction
that allows you to control this
feature, and whether USB
accessories can still connect
devices if they're locked.
And, of course, Configurator
kind of relies on devices being
able to connect via USB, so we
have implemented a special
behavior for those devices.
When Configurator prepares a
device to supervise it, but not
enroll it in MDM, it will
automatically install a profile
that installs this restriction,
and allows those devices to
continue connecting to the Mac
running Configurator.
Alright. Another topic which is
not new, we've talked about it
for a number of years, last year
Prodop [assumed spelling] told
you that we are going to start
honoring the certain set of
restrictions which were created
before supervision existed, but
really should only be honored on
supervised devices.
I want to make clear that these
restrictions are not going away.
They're still going to be
usable, but they will only be
honored on supervised devices.
But, after hearing your
feedback, we decided to delay
one more year, and we'll make
this change next year to help
make a smooth transition.
And, we've also come up with an
upgrade and migration policy
that we think will further
smooth this transition.
Essentially, if a device which
is not supervised has one or
more of these restrictions in
place, they will continue to be
honored even after upgrading to
the iOS version that includes
this change until they're wiped.
So, we'll remember, and we'll
continue to allow you to use
them until that device is wiped,
allowing you to time your
refresh more conveniently.
Of course, any new device
configured, or if you wipe the
device and restore from a
backup, they will get the new
behavior, where each of these
restrictions is only honored if
the device is supervised.
But, of course, if you're wiping
a device, that's a great
opportunity to go ahead and
supervise it before you
configure it again.
Just to refresh your memory,
this is the list with one minor
change that we took advantage of
the fact that we're giving you
one more year.
That in fact, the three Siri
restrictions should also only be
honored on supervised devices,
so this is the list, and we
really mean it this time.
We're going to do it next year.
Be prepared.
Alright. Managed Open In, it's a
great feature, most-- more used
in enterprises, and we've made a
number of improvements, both in
iOS 11.3, and iOS 12, to make
sure that the boundary we've
established between managed apps
and unmanaged apps and sharing
files and data between them is--
behaves the way everyone would
expect.
This included making the context
API respect the boundary in iOS
11.3.
Which of course was exactly what
many customers wanted, but we
know that that did have some
challenges for some
organizations that were
deploying in a specific way.
And, I'd just like to make
clear, that if you are using
Managed Open In, and want a
managed app to manage Contacts,
you need to deploy that managed
Contacts source as a managed
source.
Alright. Now, let's turn to some
of the new settings we've been
adding in this year's software
releases.
A bunch of things we added in
iOS 11.3.
I already mentioned allow USB
accessories while device is
locked restriction, completing
our set of restrictions to allow
you to get classroom behavior on
a supervised device, even if
it's a teacher-created class.
We'll talk a little bit more
about the remote pairing later
on in the tvOS section.
And, that last one I really
wanted to mention, because this
is, again, another long-standing
customer request, that both
schools and businesses love the
Home Screen layout payload, but
they were also using WebClips.
And now, in iOS 11.3, you can
use WebClips in Home Screen
layout payload.
[ Applause ]
Thank you very much.
Moving on to the changes in iOS
12.
Added a couple of new
notification types to the
Notifications payload.
And, another big customer
request, we had a lot of schools
in particular that wanted to
prevent students from changing
the date and time, and there's a
new restriction that essentially
turns on set date and time
automatically on supervised
devices.
Now, this feature will, of
course, only work if we can
reach the time server, or a cell
tower, or location services is
enabled.
But, with that caveat, we think
this is going to meet the need.
We've also made a lot of
improvements to how S/MIME is
managed for Mail and Exchange
accounts configured via profile.
Giving users more flexibility
about when to sign and encrypt,
as well as an important changes
to allow them to update the
certificates that they're using
for either feature.
Even when their account has been
configured via profile.
We also took the opportunity to
rename a number of keys to
clarify the purpose.
Of course, the existing keys are
still honored for now.
But, please check the
documentation and update your
implementations.
There's also a number of new
settings in the VPN payload for
configuring IKEv2 connections,
managing your DNS server
settings.
And, one important option that
we added to the Erase Device
command.
Allows you to skip proximity set
up on your way back through
Setup Assistant, further
configuring the device
enrollment experience for an end
user.
This is really important for
deployments for guests that are
using your devices, and if
you're using device enrollment
to provide a fresh experience
for each new guest using that
particular iPad or other device.
Thank you, Eric.
And, finally, due to macOS
server deprecation, we have
removed support for the macOS
server account payload in iOS
12.
If you're still using some of
those services as you're
transitioning to a new solution,
you can replace those account
configurations with normal
account payloads.
Next, I'd like to give you a few
tips on troubleshooting issues
with delivering and executing
MDM commands on enrolled iOS
devices.
There are a number of logging
profiles which you can obtain at
the link at the bottom of the
screen.
And, all of the URL's are going
to be available at the More
Information link, which will be
at the end of the session, so
you don't have to feverishly
copy those down.
Depending on what type of a
problem you're investigation,
you can install either both the
MDM and/or the Apple Push
Notification service profiles.
Once you've reproduced the
problem, you can get those logs
using Console or Apple
Configurator 2.
And then, look through the logs
by process, depending on what
kind of a problem you're
investigating.
Whether you're looking at
communication, or connection
issues.
Installing profiles or apps, or
working with Shared iPad.
Now, next I'd like to turn to
cover some topics that are a
particular interest to app
developers, who would like to
sell their apps to schools and
businesses.
Or, as I like to call it in
honor of the biggest fan of
initial iPhone, say it with me,
the developers, developers,
developers section.
I'll first cover some topics
specific to education apps,
before continuing with some
topics for enterprise apps.
At our education event in
Chicago in March, we announced a
brand-new app for teachers
called Schoolwork.
Schoolwork allows teachers to
easily share content with their
students, leveraging the power
of your apps.
And then, they can view student
progress across all of their
work within those great apps.
Helping them to tailor
instruction to the needs of each
of their students.
And, also allowing them to
collaborate and provide instant
feedback on what their students
are learning quickly, and where
they might need a bit more
support.
Now, all of this is based upon a
new framework called ClassKit.
And, that's where you come in.
Apps which adopt ClassKit
integrate with Schoolwork in
order to help teachers discover
assignable activities within
your app, to take students
directly to the right activity
for what they're supposed to be
working on.
And, most importantly to
securely and privately share
that progress data as they work
through those tasks with their
teachers.
Now, they had a session
yesterday, and I encourage you
to watch their video.
Alright. While I have,
hopefully, your attention, I'll,
you know-- MDM developers are
developers too, so this is
really more for them.
But, I wanted to make sure I
kept their attention.
They didn't start tuning me out.
So, the Roster API is how MDM
servers can get class
information from Apple School
Manager.
And, we have had this class name
field for a while.
And, we want to encourage you to
use that as a display name in
your MDM console, as well as
what you pass along to Classroom
via the education payload, the
configure managed classes.
This is because Schoolwork is
using that field, and we'd like
to achieve a consistent
experience for teachers using
both apps.
The reason you might not be
already doing this, is because
of class name's history.
Before January, it was there in
the API, but we actually didn't
return a value.
In January, we began returning a
value that was derived using
logic in Apple School Manager.
But, this month, we're going to
start allowing administrators to
configure that name based on how
the school names their classes,
and what the teacher will expect
right within Apple School
Manager.
So, again, if you're not
currently using that to
configure the education payload
for Classroom, please start, so
we can achieve that great
experience for teachers.
Want to, again, remind you about
shared iPad.
If you want your app to be used
in Shared iPad, need to make
sure that it doesn't depend on
any data being available locally
on a new device.
When a student moves, and signs
into a new Shared iPad.
Persist all of the app data to
the cloud, whether that's our
cloud, or your cloud.
And, while we'd, of course,
prefer that you test your app on
a real Shared iPad, you can
simulate this by deleting all
the local data, and then making
sure that your app still works
well.
Also like to encourage you to
adopt managed app configuration.
There are thousands of
developers who have, and have
created a number of shared
schemas that can make it-- your
app much more friendly to
education and enterprise, by
enabling them to create a
customized experience for their
employees or students, to
customize the look of the app,
or to prepare some custom data
to warm up the app so they get
the right experience at first
launch.
Here's the URL for the site to
learn all about it.
Again, that will be available on
the More Information page later
on.
We also have a number of great
enterprise partners, who've
provided SDK's to make the power
of their services available to
your apps.
From IBM's Watson to allow you
to do machine-learning models,
and we have great pages on our
developer.apple.com website.
They're really hard to figure
out, because they're slash and
then the company name.
But, I encourage you to check
those out, and see what you can
do within your apps.
And, finally if your app depends
on network performance, for some
time now, we've enabled you to
configure that with profiles for
enterprise apps and MDM
solutions.
But, this year we've added a
number of new quality of service
keys to allow you to fine-tune
it even further.
Encourage you to check out the
networking session, if your app
is sensitive to network
performance, to find out how you
can achieve the best performance
on our platforms.
And, that brings us to the end
of our iOS-specific section.
So, following the pattern
established by this week's
keynote, let's turn next to
tvOS.
Now, with tvOS, we, over the
past number of years and
releases have been playing a
little bit of catch up and
adding some of the great
features for device management
that we had previously had for
iOS and macOS.
And, I'm very pleased to let you
know that we continued to do
that this year.
This spring, adding the ability
to configure content
restrictions, just like you can
on iOS and macOS.
And, enabling you to lock down
which app, or which devices, can
use the Remote app to manage a
particular Apple TV.
This is great in the classroom,
so that the teacher can just
have the Remote app on her
phone, and you cannot need a
physical remote in the
classroom.
No student would ever get up to
no good with one of those.
And, perhaps, even more
important, some great key
features of the device
management experience.
Being able to install App Store
apps on Apple TV.
Thank you.
[ Applause ]
And, being able to update to the
latest version of tvOS via MDM
command, just like another Apple
device.
[ Applause ]
Thank you.
And, we think that combining
these new features with some of
the features that we've added
over the past few releases, you
can do some amazing things with
Apple TV, on its own, and in
combination with other Apple
devices.
Provide new experiences to your
guests.
So, to illustrate the
possibilities, I'd like to
welcome you to the entirely
fictional Hotel Cupertino.
Such a lovely place.
Where each enrolled Apple TV is
programmed to receive commands
from the hotel's MDM server.
For example, including updating
to the latest version of tvOS.
And, installing a custom
enterprise app to allow your
guests to manage their
experience, including ordering
of room service, when they get a
hankering for pink champagne on
ice, or informing them about
options for exploring the area.
You can also provide your guests
with great entertainment
options, when they're actually
spending time in your room, by
installing App Store apps.
And, this is the time when I
would love to share a clip of my
favorite show, Game of Thrones,
with you, but we don't have time
for that right now.
So, assuming your guests
actually ever leave the room,
and take some photos, they can
of course, use AirPlay to share
those photos, and display them
on the big screen in the room
you've provided to them.
So, this is just one example of
what can now be done with Apple
TV by managing it remotely.
But, of course, there are many
other types of businesses that
could take advantage of these
capabilities to provide amazing
experiences to their guests,
including integration with the
Apple devices they're already
bringing with them.
We look forward to seeing the
fruits of your creativity, even
if it doesn't involve dragons.
So, that brings us to the end of
our tvOS section.
And, last but not least, macOS,
just like in the keynote.
So, let's start right at the
beginning, installing macOS.
And, I'd like to make everyone
aware of the great new command
added to the macOS installer
this spring, called
startosinstall.
If you're installing from and to
your computer startup disk, you
can use this command.
And, it supports all the latest
Mac hardware.
It also includes some great
features that allow you to
install packages on top of the
freshly installed macOS.
And, an option to start fresh,
and erase that partition before
you install the new version of
macOS.
Of course, once you've installed
the OS, you want to get enrolled
for remote management.
And, we received some feedback
from some of our enterprise
partners in particular, that
they really prefer the iOS
experience, and felt it was more
user friendly.
So, we're going to take that
feedback, and simplify, and make
the macOS MDM enrollment
experience match iOS.
It's not in Seed 1, but you will
see it soon in macOS Mojave.
I told you there were more
security topics.
Here's another one.
We want to strongly encourage
our MDM partners to take
advantage of this new capability
to make enterprise app manifest
delivery more secure.
The transition is easy because
we're continuing to support the
existing installApplication MDM
command to install enterprise
apps, but we really want you to
switch to one of the new methods
using the new
installEnterpriseApplication
command as soon as possible.
There're two options.
You can either specify the
manifest right within the
command, inline.
Or, you can specify certs that
we'll use later to pin our
request to fetch the manifest.
Please read up about this, and
make the switch as soon as you
can.
Now, this is not actually a
change so much, because none of
these six payloads ever worked
to install in a system profile.
But-- because they only make
sense in a user context.
But, next year, we're going to
start treating installing any of
these payloads in a system
profile as a hard failure.
So, you have some time to
prepare for that, and make sure
you're not already doing that.
Now, let's talk about some of
the new things we've added in
this year's macOS releases.
Big customer request, you can
now mark generated private keys
as not exportable, so the user
can't get access to them on
their Mac.
We added content caching last
fall in macOS High Sierra.
And now, you can configure it
via profile.
And, we've added a number of new
controls for managing how smart
cards are used on your
organization's Macs.
Thank you.
Smart cards.
Last fall, we introduced a new
concept for enrollments on Macs
called user-approved MDM.
And, this is to protect features
that should really only be
available on an
organization-owned Mac, and be
tied to affirmative consent from
a user or an admin, and not
configured via rogue script.
The first example was the kernel
extension permissions.
And, we introduced this in
10.13.2, although user-approved
MDM enrollments was not actually
required until 10.13.4.
There will be more security
features that will fall into
this group.
So, this is something that's
going to be with us, and in
fact, next thing I want to talk
about also requires
user-approved MDM.
And, that's the additional
support we made for testing apps
for high stakes testing apps on
the Mac, so they can achieve the
controlled environment that they
require.
That support requires both an
entitlement, as well as a Mac
which has a user-approved
enrollment.
And, just like for iOS and tvOS,
I'd like to give you some tips
on troubleshooting issues with
communicating with enrolled
devices.
Similarly, you can install the
right logging profile for a
managed client, or again, Apple
Push Notification service.
Get the logs using Console, and
it's a lot simpler-- you can
just filter for the Managed
Client process on the Mac.
But, I also wanted to highlight
the profile's command line tool.
It's a Mac, we're got Terminal.
You can, of course, use it to
install and remove profiles, but
it also has some great features
for verifying your deployment.
The first we added this spring,
allows you to verify whether the
enrollment is user-approved,
with the profile status command.
And, new in macOS Mojave,
there's a validate command that
allows you to confirm, or tells
you any differences between the
device enrollment profile in the
cloud, and what's actually
configured on the device at that
moment.
So that you can more easily
detect when your change that you
know you've already made in the
cloud hasn't been reflected on
the Mac yet, or the device has
become unconfigured.
So, that brings us to the end of
our content for today.
And, I'd like to quickly sum up
some of the takeaways for the
different groups, and different
audiences for this talk.
Administrators, we hope you love
having access in more places for
Apple School Manager, and now
Apple Business Manager to manage
all of your organization's
accounts, devices, and apps and
books.
Take advantage of all those new
device management capabilities
that we've talked about today.
And, prepare for the security
changes that will impact your
deployments.
For MDM developers, of course,
we need you to support all these
new features, because the
administrators won't be able to
take advantage of them until you
do, in the solution that they've
already paid you for.
Please get on adoption of those
security features to help us
make sure that we are keeping
the communication between
enrolled devices and your
product as securely as possible.
And, finally, app developers.
Take advantage of all these
great technologies that we've
made available to you on our
OS's from ClassKit and Shared
iPad for schools, to managed app
configuration for all kinds of
apps, and then the enterprise
features for enterprise apps.
We have a number of labs, one
later today after lunch.
And then, tomorrow morning.
And, if you'd like to learn more
about the new password and
AutoFill features, they also
have a lab tomorrow afternoon.
And, with that, I'll thank you
for your attention, and hope you
enjoy the rest of the show.
Thank you very much.
[ Applause ]