whats new in enterprise – iOS14 and macOS Big Sur

apart from consumer features from iOS with it’s homescreen widgets, app libary, app clips or picture-in-Picture and many other features (already available in Android) – so, what’s new about managing the new release to utalize of enterprise with mdm

iOS 14 release date, beta, features and compatible iPhones @techradar

announced at wwdc 2020 the upcoming releases are packed full of features even for enterprise, a lot a leasons learned from iOS transered to macOS and some highlights in my opinion

• macOS enrollment – more seamless with detailed options to ease the onboarding process
• auto advance for mac – added an offline enrollment method that just require connecction network and power

• lights out management for mac pro, payload via mdm
• user enrolled macOS are supervised !!!
• macOS managed software – defer updates up to 90 days, same as for iOS or force update
• macOS managed apps – remove by mdm, managed app configuration or convert from managed to unmanaged
• download profiles for macOS – privacy from iOS to prevent mistakes and manually install profile iOS-style
• shared iPad for business – multi user device with managed apple id via apple’s abm

• non-removable managed apps – homescreen layout advanced to allow rearrange but prohibit uninstall of apps
• managed openin support shortcuts app
• set timezone – without location service
• per account vpn – mail,contact,calendar for same domain

• encrypted dns
• randomized wifi mac

about managing apple devices at wwdc @apple

---

read more about how to join and even downgrade from beta

downgrade beta

…it’s quite easy to join a public beta, a lot of chinese vendor develop there software while customer already using it – for ios and android it is possible to get a sneak look into new features or test changes behaviour in your enterprise environment before public rollout join beta at https://beta.apple.com/ https://www.google.com/android/beta top 3…

by matthias mader 19. March 20196. June 2019

windows 10 may 2020 update – what’s in it

microsoft published is next update for windows 10 – called version 2004 – are your ready ?

What’s new in Windows 10 for IT Pros

• Windows Hello, support Fast Identity Online 2 (FIDO2)

• Windows Defender System Guard enables an even higher level of System Management Mode (SMM) Firmware Protection
• Windows Defender Application Guard has been available for Chromium-based Edge
• Reduced offline time during feature updates
• SetupDiag is now automatically installed, can help diagnose why a Windows 10 update failed
• Windows PowerShell cmdlets have been improved
• Windows Sandbox is an isolated desktop environment, enables more control over configuration
• Pairing Bluetooth devices with your computer will occur through notifications
• New DirectX 12 features are available in this release

special items have picked, full list @microsoft

---

windows 10 is smarter as you’d might think

check out these features to improve your daily work dynamic lock since Microsoft doesn’t offer own smartphones anymore, they integrate some clever/smart features to connect with mobile devices – e.g. ensure that your windows 10 is locked when your away from keyboard with dynamic lock picture password to get rid of long passwords with complex…

by matthias mader

---

what’s new in MDM for Windows 10

for enterprise some configuration service provider (csp) have added or advanced

Topic	Description
Policy CSP	added new policies in Windows 10, version 2004: •ApplicationManagement/BlockNonAdminUserInstall •Bluetooth/SetMinimumEncryptionKeySize •Education/AllowGraphingCalculator •TextInput/ConfigureJapaneseIMEVersion •TextInput/ConfigureSimplifiedChineseIMEVersion •TextInput/ConfigureTraditionalChineseIMEVersion
DevDetail CSP	added the following new node: Ext/Microsoft/DNSComputerName
EnterpriseModern AppManagement CSP	added the following new node: IsStub
SUPL CSP	added the following new node: FullVersion

---

select Start  > Settings  > Update & Security  > Windows Update and select Check for updates otherwise click below

android bloatware in business

android device arrive with alot of preinstalled app like facebook, flipboard, skype and for sure google service (youtube,maps,gmail,etc.) – for private use this is anoying, but for business it is essential to secure the usecase

android enterprise

when enabling Android Enterprise for Kiosk/Company devices, during setup the default apps could be disabled with this switch – PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED – Samsung offers this with it’s KNOX Mobile Enrollment and google with buildin zero-touch service

be aware that you loose the native camera app if your usecase require one

device management

after your device is enrolled in mobile device managment system (emm, uem or whatever) your able to restrict installed apps by package name, apps differ from device manufaturer and os level, package names also useful to arrange/allow in kiosk setup, for samsung XCover4s these are:

• com.samsung.android.messaging
• com.sec.android.app.samsungapps
• com.samsung.android.calendar
• com.samsung.android.email.provider
• com.sec.android.app.myfiles
• com.sec.android.gallery3d
• com.sec.android.app.clockpackage.clockpackage
• com.sec.android.app.clockpackage.alarm.alarmalert
• com.google.android.gm
• com.google.android.youtube
• com.google.android.googlequicksearchbox
• com.sec.android.app.fm
• com.google.android.apps.maps
• com.samsung.android.contacts
• com.samsung.android.dialer
• com.samsung.android.game.gamehome
• com.sec.factory.camera
• com.sec.android.app.camera
• com.sec.android.app.clockpackage
• com.sec.android.app.sbrowser
• com.microsoft.skydrive
• com.facebook.katana

adb tools

remove bloatware from a single device or find from from a reference device locally connected

1. install USB drivers for your device
2. download & install ADB tools
3. enable Developer Options & USB debugging
4. plug in your device into the computer
5. open a terminal and type: adb devices
6. will return the ID of your device
7. in adb shell with: adb shell
8. list all installed packages: pm list packages
9. to remove packages type: pm uninstall -k -user 0 <package name>

take care to not disable system critical apps of android, check here

unmanaged but secured – how mobile application management support your enterprise

while ios and android offer more and more deep api to securely managed a mobile device and integrate into enterprise – apple utilize restrictions to natively separate managed from unmanaged content – android buildin work container on every device to secure enterprise data – both offer enrollment program to easiely intergrate the devices to management system

but there a argument to not rely on device management api – ios lack unfinished restriction of unmanaged/managed data, it is possible to bypass limitation under certain conditions – android depricated existing device admin feature in favor of android enterprise technology, but new container ui/ux isn’t consitant between different os releases and lack of some existing features, e.g. private/business calender overlay

privacy is a main point to offer a byod solution for your employees, ios managed devices could report your installed app and fully wipe even your private data (until user-enrollment was released), android enterprise addressed this from the very first, apple introduced user-erollment to address privacy concerns for byod deployments

usablity is the other big point to address for your users – while apple provide the ability to use business data within ios native applications, android lack of a consistant look and feel between os releases and different management api, batch icons differ at different releases and espesially samsung devices – to ease support provide the same email app across both mobile os

mobile application management also named non-MDM managed your data within an app or a entire framework, the app is’t capable to control your device, e.g. to enforce device pin or encryption – major mdm vendor like airwatch, mobileiron, blackberry formerly good and citrix provide a framework to secure your data over serveral productivity apps, without the need to rely on device api

microsoft offer with it’s office 365 apps the capability to secure business data with app protection policies without the need to enroll your device to a unified endpoint management, 3rd party mdm could optinally integrate these features with graph api

when it comes to enterpise integration with full device vpn support, certificate authentication or kiosk (single use) devices there is no way around a uem solution

don’t be a fool, select your prefered solution, based on the requirement for each usecase

whole new iOS13 with more privacy in enterprise

tim cook recently spoke about user data and privacy, while criticizing technology companies, like google or facebook

iOS is enterprise’s first choice for mobile activity, egnyte‘s enterprise insight showed a clear weighting and content is getting more more mobile

the biggest change since iOS5 introduced supervised devices and open-in management debuted in iOS7

iOS 13 will available in fall 2019 – since google is pushing hard with android enterprise to fit business needs, with it’s buildin containerization based on samsung’s KNOX – iOS 13 provide more granular security and better privacy restriction

enrollment methods

there are already rolled out thousands of iOS devices with either manually installing a mdm profile (uamdm) or centralized with device enrollment program (dep) to get the device under control of a unified endpoint management (uem) – additionally you can enable your iOS device as supervised either while dep enrolled or via apple configurator connected to a mac

newly added – user enrollment – previously an administrator of a managed device was able to retrieve the installed apps, remove the passcode or wipe the entire device – at least the privacy controls of the registered uem prohibit this features to individuals – with user enrollment there are huge improvements to the users privacy

• user needs to login with managed apple id
• uem unable to retrieve device information like IMEI, serial or mac address
• private apps aren’t reported to uem
• no control about device passcode or to wipe the entire device
• still the configuration of wifi, vpn or exchange accounts will available
• other existing restrictions reserved for supervised devices, see listing below

restriction changes

• allowSafari, available since iOS 4, require supervised device as of iOS 13
• allowVideoConferencing, available since iOS 4, require supervised device as of iOS 13
• allowWiFiPowerModification, available for supervised iOS 13 devices
• safariAllowAutoFill, available since iOS 4, require supervised device as of iOS 13
• allowAddingGameCenterFriends, available since iOS 4.2.1, require supervised device as of iOS 13
• allowAppInstallation, available since iOS 4, require supervised device as of iOS 13
• allowCamera, available since iOS 4, require supervised device as of iOS 13
• allowCloudBackup, available since iOS 5, require supervised device as of iOS 13
• allowCloudDocumentSync, available since iOS 5, require supervised device as of iOS 13
• allowCloudKeychainSync, available since iOS 7, require supervised device as of iOS 13
• allowContinuousPathKeyboard, available for supervised iOS 13 devices
• allowExplicitContent, available since iOS 4, require supervised device as of iOS 13
• allowFindMyDevice, available for supervised iOS 13 devices
• allowFindMyFriends, available for supervised iOS 13 devices
• allowiTunes, available since iOS 4, require supervised device as of iOS 13
• allowMultiplayerGaming, available since iOS 4.1, require supervised device as of iOS 13

read a full list of apple’s device management restrictions here

Sign in with Apple vs. managed Apple ID

while sign in with apple is the approach to to compete with google or facebook as a identity provider (idp) for external services, for business on the other hand managed Apple IDs were so far to manage functions of Apple Business Manager, since WWDC 2019 it’s necessary to register with user  enrollment, enterprise create additional account’s for byod user to add to their device, keeps data completely separated between both accounts, hopefully compared to now:

iPadOS

along with iOS13 apple separate to path between iPhone and iPad with a standalone OS, finally iPadOS can provide more feature to the tablet, a classic desktop replacement could possible – view the demo below

stay tuned for final release around mid-september with likely new 2019 iPhone

---

• deal of the day – mirror iOS to chromecast
• share everywhere – cloud clipboard and others handle your content
• mobile os version in 2019
• current bundle id’s of iOS devices
• it`s getting dark out there
• whole new iOS13 with more privacy in enterprise
• windows 10 is (still) mobile
• downgrade beta
• apple adds more barriers to increase security
• progressive web apps

apple adds more barriers to increase security

as far fas know from this ios 12.2 beta, there are several improvement/changes, at least in regards to the users security

enroll here: beta.apple.com

ssl security

not just since edward snowden, chelsea manning and other leaked infromation – your data matters – apple adds the noticable change in safari when browsing at webages that a not secure

@ios.gadgethacks.com

read more about ssl strip @wifi security today and attack vectors

profile installation

profile at ios devices mean everything in enterprise, to enroll a private users device in emm system it is nessccary to manually install the ios mdm profile – before ios 12.2 the profile popped up to install – beginning with the new release, after successfully authenticated with emm the ios profile is download, user needs to manually navigate to settings and select to install profile

motion data

the new motion & orientation access stetting is toggled off by default, a webpage is unable to get accelerometer and gyroscope data from the iPhone – test at what web can to today website with iOS 12.2 beta

ios13 should be available in about 4 months

progressive web apps

progressive web apps (pwa) getting more popular due to their ability to send push notifications – provide offline content and add to homescreen – no need to install pwa, improve functionallity above browsers with less costs compared to apps – load faster than web – enhanced conversion – scroll 60 frames per second

@google developers training

test your browser online, the featureset differs a lot between mobile platform and browser-  compatibility estimated by appswithlove.com

https://whatwebcando.today

2015 a chrome developer coined progressive web app, adopted by apple and even windows 10 joined as well

---

Some good examples what pwa’s can do and how already using it:

• uber
• starbucks
• trivago
• guitar tuner
• 2048

how to deal with acceleated mobile pages (amp) in times of pwa, how to choose between faster loading or offline functionality, it’s possible to combine both like washington post

read more: acceleated mobile pages

---

in an enterprise perspective it is about how to deploy applications, with mdm it is quite easy to push an app to a device, even silent installation is possible with android enterprise or apple vpp…

…but pwa’s aren’t that apps anymore and there is no api to remote set homescreen icon 

unified endpoint management

today’s employees use at least two or more devices to do daily work on various os at different versions – it is time for a new class of tools – unified endpoint management (uem) combine the management of multiple endpoint types in a single console

evolution

from pc configuration lifecycle management (pcclm) via client management tools (cmt) to unified endpoint management (uem) – companies listed in the client management tools magic quadrant already transformed, other a overruled

content

while enterprise mobility management (emm) is highly competitive and rapidly transforming — for instance, good technology, which was in gartner’s magic quadrant in 2015, was acquired by blackberry, airwatch was acquired by vmware in 2014 – emm contains of:

• mobile device management (mdm)
• mobile application management (mam)
• mobile identity (mi)
• mobile content management (mcm)

uem combine cmt + emm + iot

benefit

1. reduce it management cost – a single tool
2. improved security – get the best of both
3. better insights – reporting
4. prepared – enterprise of things

gartner

magic quadrant reports the ability to execute and completeness of vision for vendors – read full report here

tco

according to gartner research, the annual tco of a fully managed smartphone using emm is almost
80% lower than the annual tco of a fully managed desktop using cmt

@mobileiron