Apple has made some significant changes in macOS Catalina and introduced a couple of new concepts that are sure to become more important in future releases. This blog walks you through macOS 10.15 Catalina – what it means to your business and how Workspace ONE, which is recognized as an industry-leading UEM platform by analysts, helps you make the most of it.
Custom Automated Enrollment
With the releases of macOS Catalina and iOS 13, Apple has enhanced the onboarding capabilities of automated enrollment (formerly DEP) through Apple Business Manager (ABM). This enhancement allows Workspace ONE to present a customized onboarding web screen, giving admins an array of options to help streamline the enrollment process and drive adoption. These options include displaying company branding, offering multiple authentication options such as token, SAML, or MFA, or even requiring a custom Terms of Use acceptance. User acceptance is required for each option before they can continue through Setup Assistant, allowing IT admins to tighten security practices and standardize their enrollment process for corporate-owned devices within Workspace ONE.
Primary User Account Customization in Setup Assistant
In Workspace ONE UEM, admins can now customize the Primary User Account created in Setup Assistant following an enrollment through ABM. Admins can specify the user’s full name and their organization username, with support for dynamic lookup values, so that the fields are pre-populated correctly. To further streamline the process, the admin can even disable the user’s ability to edit those fields so they can’t break their own access to domain integration services like password syncing, printing, file shares, etc.
System Extensions Profile Settings
macOS Catalina introduces System Extensions and DriverKit to help developers maintain extensions inside their app rather than requiring Kernel Extensions (“kexts”). This makes for easier installation and increases the stability and security of macOS. It’s unlikely apps using System Extensions will be available from day one of Catalina release, but once app developers start adopting them, users will be prompted to allow these new extensions to run. Using the System Extensions profile, admins can create a whitelist of specific accepted system extensions in Workspace ONE UEM that will eliminate these prompts. Also, for greater security, admins can disable the user’s ability to approve additional system extensions.
New macOS Supervision Status
First introduced with iOS 5, Catalina brings support for supervision to the Mac. This is a new status in macOS Catalina when using ABM or Apple School Manager to enroll into Workspace ONE UEM. All devices enrolled through ABM will now be supervised, and all devices previously enrolled through ABM will be converted to supervision. Devices that were not originally enrolled through ABM will need to be re-enrolled to become supervised.
A supervised device provides organizations with additional control over its configuration and restrictions. At this time, there are not yet any available macOS commands requiring supervision, but we will keep you informed as this new status matures over time. In the meantime, admins have a window to make the transition with their managed devices in Workspace ONE.
Single Sign-On (SSO) Extension
This new functionality allows admins to target specific applications from Identity Providers (IDP) to perform SSO functionality. This requires an IDP to create an MDM configurator app that directs them to specified domains for redirect or credential SSO. Understanding that this is a new functionality that requires adoption by the IDP community, Apple has pre-built functionality for the Kerberos extension into macOS 10.15 for those who use Active Directory. Admins can also create generic extensions that are targeted to third-party IDPs.
Associated Domains
Associated domains are used by developers to establish a connection between a domain and an app in order to share credentials, to enable features in the app that are dependent on the website (universal links), or for SSO Extension. In Workspace ONE, admins can now associate multiple domains with an app in addition to those that have been defined in the app itself so it’s not necessary to make adjustments to code when new domains are introduced.
Privacy Preferences Profile Control
Catalina has new protected areas within the OS, access to which would typically require a user to accept a system prompt. Workspace ONE UEM gives admins the ability to enable app access to these areas without prompting users. Many users are conditioned to reflexively deny access when prompted, which could effectively shut down apps that may be critical to employee productivity. By expanding admin control over this process, Workspace ONE can help avoid or eliminate those scenarios.
Handoff Restriction
Apple’s Handoff capability allows a user to pass off functionality from one type of Apple device to another. For instance, copying text on an iPhone and pasting it to a document on a Mac. With macOS Catalina, admins now can disable this function to prevent potential data loss.
