WWDC Highlights: MacOS Ventura

MacOS Ventura comes with powerful productivity tools and the recently announced Continuity features make the Mac experience better than ever. In addition to exciting new features, there are many great updates for IT teams. These updates include new deployment options, identity integrations, new security controls and more control over software updates. Let’s start with deployment. 

Zero-touch deployment is the most efficient way for IT to deploy Apple devices directly to users. With zero-touch deployment, it is possible to automatically enrol organisation-owned devices into the MDM solution. IT teams don’t have to physically touch devices to provision them before users get them. 

This is where the ability to skip specific setup assistant screens makes the setup even smoother for the user. 

· When a user turns on their Mac for the first time, they get the option to select language and country. 

· Enrolment into MDM is integrated directly into the familiar Setup Assistant experience. The user is brought to their Desktop and the Mac is finally configured. 

The new System Settings, redesigned to be easier to navigate, shows that the Mac is managed and the settings that have been deployed. This gives clarity to both administrators and end-users about the management state of the device and the MDM capabilities. Additionally, apps can be deployed directly or made available in a self-service app catalogue provided by your enterprise’s MDM solution. 

Here are some of the major changes that you should look out for in MacOS Ventura: 

Network requirement for Setup Assistant 

Automated Device Enrolment uses internet access during Setup Assistant so that the device can check in with the MDM solution and receive the initial configuration and instructions for enrolment. 

· Apple Silicon or T2 Security Chip: There are cases where internet connection could be bypassed during Setup Assistant, thereby allowing users to accidentally – or intentionally – bypass enrolment into MDM. To ensure that Macs (Apple silicon or an Apple T2 Security Chip) owned by enterprises adhere to the correct process, devices will always require an internet connection during Setup Assistant after the first time, they successfully connect to the internet. 

· Enforced after erase or restore: The first time a Mac running macOS 13 is set up while connected to a network, it is acknowledged as owned by the enterprise. As long as the device remains registered to the organisation, when the device is erased, Setup Assistant will require a network connection to proceed. 

Single Sign-on extension 

· Single system-wide extension: Introduced with macOS Catalina and iOS 13, SSO extensions allow a user to enter credentials once, so that subsequent apps or websites don’t require repeated re-authentication. This now works with third-party identity providers. Previously, SSO extensions only worked after users logged in with local credentials. 

· Enables new platform SSO for Mac: In macOS Ventura, Platform SSO will use SSO Extensions to extend to the macOS login window, allowing existing users to unlock their Mac with an Identity Provider (IdP) password. 

Platform SSO for Mac 

· Identity provider SSO at login window: With Platform SSO, it is possible to use identity provider at the macOS login window, by making tokens from the login available to third-party SSO extensions, or the built-in Kerberos extension. 

· Initial login with local account password: Identity provider at login window enables users to sign in once at the login window and then automatically sign in to apps and websites. The first login uses a local password to authenticate, which unlocks FileVault encryption on the device. This enables users to log in when offline or when connected to captive networks. From then, identity provider password can be used to unlock. 

· Supports unlock with Touch ID and Apple Watch: Users can also unlock their Mac with Touch ID and Apple Watch. 

· Local password is kept in sync: The local account password is automatically kept in sync, so the cloud password and local passwords match. 

· Requires vendor support: To enable this feature, enterprises will require support from identity provider vendor. 

Manual Certificate Trust 

· No TLS trust policy by default: In iOS 10.3, there is a change in the TLS trust policy for certificate payloads to enhance overall protection for users. In a future release, manually installed certificate payloads will no longer be trusted for TLS purposes unless user grants trust with Keychain Access. 

· Full trust for MDM certificates: Full certificate trust will be continued if it’s a certificate embedded in an MDM profile, but users should update workflows if it involves interactive certificate installation. 

Accessory Security 

· Users consent to allow new accessories: Accessory security macOS aims to protect users from close-access attacks. Supported on Macs with Apple silicon, the initial configuration requires the user to allow new Thunderbolt or USB accessories, even when unlocked. 

· Approved accessories can connect to a locked Mac for up to 3 days: If you attach an unknown accessory to a locked Mac, you will be prompted to unlock the Mac. 

· USB restricted mode supported on Mac: Bypassing user authorisation might be required for some environments. MDM solutions can control this with USB Restricted Mode restriction to always allow Thunderbolt and USB accessories. 

Managed Software Updates 

· Defer updates up to 90 days: Managed Software Updates allows IT teams to defer updates for up to 90 days, this gives time to test before deployment. 

· User deferral quota reporting: macOS Monterey introduced new controls, including ability to enforce updates with a user deferral quota (this gives users a certain number of deferrals before an update is installed). 

· Power Nap support: In macOS Ventura, admins will get better reporting on the number of user deferrals remaining. MDM commands for Software Updates will now acknowledge and respond even when a Mac is asleep or in Power Nap mode. 

· Set update priority: New priority status can be set for scheduling the priority of downloading and preparing the requested update. 

Rapid Security Response 

· New mechanism to ship security fixes: iOS 16, iPadOS 16 and macOS 13 introduced a mechanism to send security fixes to users frequently. These will be included in the ensuing minor update. Rapid Security Responses don’t adhere to managed software update delay; however, because they only apply to the latest minor operating system version, if that minor operating system update is delayed, the response is also delayed. 

· MDM restrictions: The user can remove responses if necessary and MDM solutions can use the following restriction: 

o Allow or disallow the installation of Rapid Security Response updates. 

o Allow or disallow the removal of Rapid Security Response updates. 

Migration Assistant 

· Easily move from one Mac to another: Migration Assistant allows the migration of user files, apps and device configurations from one device to another. 

· MDM friendly migrations: In macOS Ventura, Macs enrolled in an MDM solution will no longer allow the transfer of System, Network or Printer settings to avoid management conflicts. This allows for a migration that is friendly for MDM-enrolled Macs. 

Apart from all of the major updates mentioned above, there are some additional MDM updates for Mac this year. There are additional restrictions and payload modifications, such as the ability to allow Universal Control or the ability to control if Configuration Profiles can be installed manually. 

Comment down below and tell us in detail about what update will impact enterprise efficiency the most.

Leave a Comment

Your email address will not be published. Required fields are marked *