Business functions: What companies need to know about iOS 14

The operating system updates iOS 14 and iPadOS 14 announced for autumn bring numerous practical features such as clever widgets, an app library, app clips or more options for shortcuts and put the topic of data protection even more in the spotlight. But there are also a myriad of business-relevant functions that companies and especially their IT department should carefully check and evaluate before using iOS 14 or iPadOS 14. Here is a selection.

With iOS 14, Apple made some improvements to the integrated Kerberos SSO extension, especially for per-app tunneling. Per-app tunneling for the SSO extension means that users outside the corporate network can also receive Kerberos tickets for SSO and manage their Active Directory password. The single sign-on Kerberos extension has existed since iOS 7, with iOS 14 it also has new configuration options, such as:

• custom username (customUsernameLabel)

• Help text (helpText)

• Credential caching (monitorCredentialsCache)

• the configuration of a replication time (replicationTime).

Apple previously supported VPN configurations that affect the entire device, domain-specific VPNs, and VPNs per app. With the new operating system version iOS 14, Apple is now adding a new function called VPN per account. Administrators can therefore select MDM-VPN configurations via VPNUUID specifically for different account types, such as

• CalDAV

• CardDAV

• Exchange ActiveSync

• Google account

• LDAP

• Mail

• Subscribed Calendar.

All traffic that goes through these accounts is tunneled through the specific VPN configuration to increase data protection and security. Administrators are thus able to assign several account-based profile payloads to a VPN connection. Personal or unmanaged accounts do not use the specific tunnel.

With iOS 14, DNS configurations can now be configured per profile for secure DNS access (DNS-over-HTTPS / DNS-over-TLS). To do this, the transport protocol is defined as a string (HTTPS or TLS) using the DNSProtocol configuration key. The IPv4 / IPv6 address of the DNS server can be maintained via the parameter ServerAddresses, the host name of a DNS-over-TLS server (for validating the server certificate in accordance with RFC 7858) via the configuration key ServerName. This key may only exist if TLS is used as the DNS protocol. If the previously named ServerAdresses information has not been maintained, ServerName is used to determine the server addresses.

For a DNS over HTTPS server (RFC 8484), the URL must be used to validate the server certificate. This key may only exist if HTTPS is used as the DNS protocol. Finally, the administrator defines a list of domain strings. It is used to determine which DNS queries the DNS server should use (SupplementalMatchDomains). If no content is passed here, all name resolution requests run via the DNS server.

With iOS 14, administrators can now simply mark managed apps as non-removable, instead of – as before – blocking the entire start screen and blocking the removal of any apps on a device. This gives the user back a little more control over their homescreen. At the same time, it ensures that it cannot remove (critical) business applications. This is a real help for users as they can rearrange their home screens, add new apps and delete other installed apps without IT losing control of the company’s own applications.

This option is intended to help increase SSO security in iOS / iPadOS 14, since administrators can now ensure that an app uses SSO credentials.

With iOS 14, devices use randomized MAC addresses by default when connecting to Wi-Fi networks. If such a connection fails, the devices can use the real hardware MAC address to retry – provided the user has configured this in the WiFi settings. As an alternative, administrators can deactivate this procedure in advance using MDM (DisableAssociationMACRandomization: boolean) and thus force the login with the real hardware MAC address.

With iOS / iPadOS 14, administrators also have new options for dealing with the new features of the operating system. For example, app clips can be allowed or prohibited (allowAppClips: Boolean). Another exciting news is that administrators can force delayed software updates of apps.

Apple has also worked in many other places. With notifications, administrators now have the option of being able to define the display for the notification preview (PreviewType: 0 always, 1 only after unlocking the device or 2 never). For the SCEP configuration (Simple Certificate Enrollment Protocol), the key size (keysize) of 4096 bits was included.

Usually, every new iOS version with new onboarding screens is introduced in the setup wizard. These screens have long been able to be hidden individually (by default) for the user as part of the DEP (Device Enrollment Program). However, iOS 14 and iPadOS 14 now allow administrators to configure a new profile. With this you can also skip the dialogs that appear as part of a device update with subsequent restart. A DEP device is not absolutely necessary, a supervised device is sufficient. This is great for companies that automate this process and strive to really keep it “zero-touch”.

As many users and administrators know, an incorrectly set time zone on a device can lead to problems, for example with key services such as authentication and with applications that depend on precise time stamps. GPS-based navigation is also affected. With the help of a new MDM command, administrators can now set which time zone should apply to a device without having to access local services. This is particularly helpful in scenarios in which the location services are or must be deactivated.

With iOS 14, Apple has also made changes to location services. Location services can now return either an exact or an approximate location based on the user’s choice. This can affect the location tracking of various EMM solutions that offer something like this with their MDM agent apps. By default, Apple does not allow location via MDM system unless the device is marked as lost. However, there are workarounds. To find out to what extent you are or will be affected here, you should take a look at the solution you have implemented.

There is also news about the Apple Business Manager (ABM). So far, only Azure AD could be used as an identity provider (IdP) to authenticate users for the Apple Business Manager and to issue authentication tokens. Because the ABM supports Azure AD, other IdPs related to Azure AD – such as Active Directory Federated Services (ADFS) – also work with the ABM. The ADFS use Security Assertion Markup Language (SAML) to connect Apple Business Manager to Azure AD. In this way, Apple user accounts, which belong to an organization and are managed by it, could be created on the basis of Azure AD – by the first login of the user. Account management tasks such as creating, deleting and managing passwords were / are carried out here by IT administrators.

The managed Apple IDs created in this way could be used by users to personalize their devices and / or to access Apple services. For example, employees in the ABM u
se them to log on to them and perform tasks such as device management and the purchase of applications for a company. Some functions in handling and the possibilities with Apple devices, such as user registration or shared iPad, are only available for use with managed Apple IDs. However, this was not a solution to the challenges that arise from (spontaneous) resignation of employees, renaming (after marriage / separation) or similar cases.

With SCIM you can extend this by the “life cycle” of a user ID or a group of IDs. The abbreviation SCIM stands for “System for Cross-Domain Identity Management”. It is a data scheme for describing people (and groups) based on an open standard for the automated provision of user accounts.

The standard, based on REST interfaces, mediates user identity data between identity providers (such as Microsoft Azure) and service providers who need this data (such as Apple Business Manager or Apple School Manager). Even if Apple announced this independently of iOS 14, this feature is not yet activated.

It happens from time to time that IT administrators want to blacklist apps. The apps are addressed using bundle IDs. Since iOS 14 has also added new apps here, here is a list of the possible bundle IDs for the build-in apps (as of iOS 14 Beta 2). (mb)

• Activity -> com.apple.Fitness

• App Store -> com.apple.AppStore

• Apple Store -> com.apple.store.Jolly

• Books -> com.apple.iBooks

• Calculator -> com.apple.calculator

• Calendar -> com.apple.mobilecal

• Camera -> com.apple.camera

• Clips -> com.apple.clips

• Clock -> com.apple.mobiletimer

• Compass -> com.apple.compass

• Contacts -> com.apple.MobileAddressBook

• FaceTime -> com.apple.facetime

• Files -> com.apple.DocumentsApp

• Find My -> com.apple.findmy

• GarageBand -> com.apple.mobilegarageband

• Health -> com.apple.Health

• Home -> com.apple.Home

• iCloud Drive -> com.apple.iCloudDriveApp

• iMovie -> com.apple.iMovie

• iTunes Store -> com.apple.MobileStore

• iTunes U -> com.apple.itunesu

• Mail -> com.apple.mobilemail

• Maps -> com.apple.Maps

• Messages -> com.apple.MobileSMS

• Measure -> com.apple.measure

• Music -> com.apple.Music

• News -> com.apple.news

• Notes -> com.apple.mobilenotes

• Phone -> com.apple.mobilephone

• Photos -> com.apple.mobileslideshow

• Photo Booth -> com.apple.Photo-Booth

• Podcasts -> com.apple.podcasts

• Reminders -> com.apple.reminders

• Safari -> com.apple.mobilesafari

• Settings -> com.apple.Preferences

• Shortcuts -> com.apple.shortcuts

• Stocks -> com.apple.stocks

• Tips -> com.apple.tips

• Translate -> com.apple.Translate

• TV -> com.apple.tv

• Videos -> com.apple.videos

• Voice Memos -> com.apple.VoiceMemos

• Wallet -> com.apple.Passbook

• Watch -> com.apple.Bridge

• Weather -> com.apple.weather