New iOS 18 and watchOS 11 Enterprise Features: Everything You Need to Know
Introduction
At their latest Worldwide Developer Conference (WWDC) this past summer, Apple announced several new features to all major platforms, that will be available in their upcoming iOS/iPadOS 18, watchOS 11, macOS 15 and visionOS 2.0 releases available on September 16th, with important enhancements in the areas of security and privacy, as well as enterprise device management, which we will discuss in depth.
UEM vendors are currently working on integrating all new enterprise features and management capacities brought by the new OS updates into their own solutions, so they are ready when officially released by Apple. In the meantime, Beta versions are already officially and publicly available, for any customers willing to test them in advance on some test devices.
Consumer Features
Satellite Messaging
Expanding Emergency SOS via satellite feature introduced with iOS 17 and available on iPhone 14 and later models, Apple is introducing Satellite messaging, which allows users to send SMS and iMessages, including emojis and Tapbacks, even when no Wi-Fi or cellular connectivity are available. While pricing and subscription details have not yet been disclosed, the Emergency SOS service is free for three years on iPhone 14 and two years on iPhone 15.
Support for RCS
Apple has enabled RCS messaging with the release of iOS 18, as announced in June 2024 at Apple's World Wide Developer's Conference (WWDC42), providing greater interoperability between iPhone and Android users.
Rich Communication Services (RCS) is a messaging protocol designed to upgrade the traditional Short Message Service (SMS) and Multimedia Messaging Service (MMS) systems, bringing many features that are common in modern messaging apps like iMessage, such as read receipts, audio messages, high-resolution photos and videos, real-time typing indicators, larger file sizes and file sharing, cross-platform emoji reactions as well as the possibility of sending messages over either cellular (SMS only) or Wi-Fi networks (free of charge for RCS messages).
For now, this new feature is limited to the United States only, with the main mobile providers including T-Mobile, AT&T, and Verizon; Mobile Virtual Network Operators (MVNOs) do not currently support it.
Apple Intelligence
Apple announced exciting new generative Artificial Intelligence (AI) features, coming later this year to iOS 18, iPadOS 18, and macOS 15; they also confirmed that they will be providing device management controls for various Apple Intelligence features as they become available.
Apple Business Manager Enhancements
Domain Capture and Account Transfer
New domain capture and account transfer features will allow organizations to control creation of Managed Apple accounts, and force newly created accounts to be only Managed Apple ID accounts, which so far was only possible by integrating an Identity Provider (IdP).
Also, when an organization initiate accounts capture, users can choose between either converting their personal account to Managed account, or keeping it personal, but then choose a different email address. If no action after 30-days, account renamed automatically.
Activation Lock Management
IT administrators can now disable the lock for organization-owned devices such as iPhones, iPads, Mac computers, Apple Watch and Vision Pro devices, and this for both the organization and user activation lock, which is usefully for Mac computers where it was enabled by the user prior to the device enrollment with a UEM solution.
Support for Apple Watch and Apple Vision Pro
Apple Watch and Apple Vision Pro devices can now be managed within Apple Business Manager (ABM, bringing new Activation Lock capabilities as well as existing Automated Device Enrollment (ADE) enrollment options.
iOS 18, iPadOS 18, and macOS 15 Management Enhancements
Safari Extensions Management
Safari extensions can now be managed for iOS, iPadOS and macOS devices, allowing IT administrators to define which extensions are allowed, either they are active or not, and which websites they can access based on their domain/sub-domain, allowing organizations to enforce security and improve user productivity for both standard and Private Browsing modes.
Software Update Management
- Automatic software update behavior
- Rapid Security Response (RSR) behavior
- Deferral of software update (1-90 days)
- Whether local administrator authorization is required to perform an update for macOS
- Enrollment into beta programs (support for macOS later this year)
- The default notification behavior when enforcing software updates
- The visibility (recommended cadence) of software updates (iOS and iPadOS only)
- Beta program registration and management
Managed Device Attestation
Attestations will only be issued to Apple devices meeting specific hardware requirements.
- iPhones, iPads, and Apple TVs with an A11 Bionic chip or later
- Mac computers with Apple silicon (M1 and above)
macOS Management Enhancements
Platform Single Sign-On (SSO)
Platform SSO has been improved to require Identity Provider (IdP) authentication when accessing FileVault, the Login window or the Lock screen. Optional configurations for Touch ID or Apple Watch unlock are also available.
External Storage Management
A new disk management declarative configuration allows IT administrators to control access to both external and network storage (ex: SSD drive, USB key…), by allowing, disallowing or limiting volume mounting to real-only, thus providing greater data control.
iOS 18 and iPadOS Enhancements
Hiding and Locking Apps
Users can now lock apps using Face ID, Touch ID or a passcode and hide them from the Home Screen. When an app is locked or hidden, its content, including email or SMS messages, is sealed from search results, push notifications and any other system use, ensure it remains private and cannot be seen by anyone.
Organizations can restrict hiding and locking for all apps on supervised devices, and on a per-app basis for managed apps. Note that for device enrollments, hidden apps will still be visible to UEM solution, while hidden managed apps will still be for user enrollments.
Stolen Device Protection
Introduced with iOS 17.3, Stole Device Protection added an additional layer of security for when an iPhone is away from familiar locations like home or work, by forcing a security delay when performing critical operations on the device such as UEM enrollment, adding a Microsoft Exchange account and manually installing some payloads (ex: passcode).
With iOS 18, a special exception was added to allow UEM enrolling a device without any familiar location will not cause a security delay for the first 3-hours after Stolen Device Protection is enabled.
visionOS 2.0 Enhancements
Zero-Touch Deployment for Vision Pro
With visionOS 2.0, Apple is adding Automatic Device Enrollment (ADE) as new option to enroll Vision Pro devices, bringing zero-touch deployment capacity to Vision Pro devices, in line with iPhones, iPads and Mac devices, allowing organization to automatically enroll these devices with their UEM solution straight out-of-the-box, ensuring a seamless enrollment user experience.
Availability from MDM Vendors
Both iOS/iPadOS 18 and watchOS 11 are expected to be publicly available in mid-September 2024; developer and beta versions are already made available for app developers, MDM vendors and enterprise customers, so they can test the new features already, deploy new apps and adapt their MDM solutions to support them.
Major MDM vendors confirmed that they will provide Day 0 support for iOS/iPad 18, macOS 15, watchOS 11 and visionOS 2.0, which means those devices running these OS versions will be manageable using their solution, although not all new enterprise management features brought by Apple will be available and actionable yet.
Compatibility
iOS18 will be available on iPhone devices supporting iOS 17, no changes this year.
This is not the case for other devices though, that will not be able to update to the latest version:
- iPad (6th generation and later)
- MacBook Air (2018 and later)
- Apple Watch SE
- Apple Watch Series 4
- Apple Watch Series 5
Limitations
Profile-Driven User Enrollment
This enrollment method was deprecated last year already, but support will be removed completely in iOS/iPadOS 18 and macOS15; all UEM software vendors have been already advising about this for a while, recommending using other alternative enrollment methods instead.
Devices already enrolled will continue to work and remain MDM managed, but it will not be possible to enroll new devices anymore using that method; Apple recommends using Account-driven User Enrollment method instead for new BYOD deployments.
Can't Use Apple ID on This Device
Due to conflicting technology, once used with iOS 18, Apple ID accounts can only be used on iPhone and iPad devices running iOS/iPadOS 16.3 or later, and macOS computers running 13.1 or later.
Organizations should perform an inventory of their fleet of Apple devices before updating them to the last version, to have a global overview of which devices are compatible and will be updated safely, and which ones should be removed.
Conclusion
These updates highlight Apple's dedication to advancing device management in enterprise environments, with improvements in security, deployment, and the overall manageability of Apple devices. As a leader in digital workspace transformation, the team at ISEC7 is well-positioned to help organizations take full advantage of these new features for iOS, iPadOS, iOS, and macOS, providing a seamless and secure device management experience.
It is important for enterprises to pay attention to updates to help lower security vulnerabilities and ensure their devices run smoothly. The team at ISEC7 can help with incorporating the new iOS 18 into your pre-existing enterprise deployment to ensure all business and operational use cases are addressed. Please feel free to contact us with any inquiries and we would be happy to assist you.