Apple beefs up enterprise identity, device management

Last week at WWDC, Apple introduced new capabilities related to Managed Apple IDs and to user identity overall.

Managed Apple IDs have been around for some time. They handle many of the same tasks as personal Apple IDs, but are owned by an organization rather than the end user and are typically created alongside a user’s enterprise identity through federated authentication with a company’s identity provider. 

Managed IDs allow a user to activate and use an Apple device — whether company owned or personal BYOD— and create a business profile on employee devices. Additionally, they provide Apple services including some core iCloud functionality such as backing up the work-related content on the device and syncing app data from Mail, Calendar, Contacts, and Notes. They also allow IT to manage what resources and devices a user can access, reset passwords, and help with Apple device management.

To create and work with Managed Apple IDs, Apple Business/School Manager needs to be federated with an organization’s identity provider. This year, Apple is making major improvements in what identity providers can be used with OpenID now being supported and support for Okta coming later this year. Combined with Microsoft Azure AD and Google Workspace, which were already supported, this means that the vast majority of organizations will be able to easily create and manage Managed Apple IDs.

Like other tech companies, Apple has been attempting to replace passwords with a secure alternative and had already introduced support for secure authentication using passkeys. Apps and websites that support passkeys can generate them at sign up and login screens. Passkeys go a long way to making access to apps and resource both more secure and more convenient.

While passkey support is pre-existing in iOS and macOS, implementing it in the workplace, where users typically rely on multiple devices — an iPhone and a Mac at the least — has had one roadblock: syncing passkeys (and passwords) across devices. In the consumer space, both passwords and passkeys can be automatically synced using iCloud.

With its new OS releases this year, Apple will be expanding support for iCloud with Managed Apple IDs; the biggest new feature is that Managed Apple IDs now support the same kind of sync as personal Apple IDs. This increases the viability of passkeys in a business environment. 

Passkey support and the ability to sync passkeys joins other Apple enterprise features including platform single sign-on to streamline access to any internal or cloud resources  through federated identity and Sign in with Apple at Work or School. All three extend secure login, authentication and access to resources. 

While iCloud Keychain support is the big news for Managed Apple IDs this year, the company is also expanding other services. One major improvement is that the Managed Apple ID now works with Apple’s Continuity system; that makes it possible to work across devices with features such as Handoff, Sidecar, Universal Control, and copying and pasting. 

One particularly useful Continuity feature for business users is the Instant Hotspot feature. Another is Continuity Camera for using an iPhone’s camera while videoconferencing on a Mac or other device. AirPlay to Mac for streaming content to a Mac’s display is also now supported. There’s also support for syncing Siri data and Messages and one surprising addition: support for the Wallet app and Apple Pay,.

The overall theme here is that Apple is working hard to replicate the personal iOS/macOS user experience for manage devices. There is enterprise value in terms of enhancing productivity and the changes could encourage people to use managed devices because they will find comparable feature sets.

The home for all of these features from a user perspective is in the Settings app, where they can find additional information about their managed ID and decide which iCloud services they want to use with it. While a device is typically limited to supporting just a single Apple ID, account driven user enrollment, introduced two years ago, enables support for a personal Apple ID and Managed Apple ID on the same device. As it always has, Apple creates a secure partition between work and personal apps and data.

It’s important to note that account driven user enrollment was largely designed as a way for users to enroll their personal devices into MDM, while corporate devices are typically managed with a more traditional profile-based enrollment that gives IT more access and management options. Apple is now offering account driven device enrollment that offers added capabilities for IT with a user experience similar to account-driven user enrollment.

The latter was already available for iOS devices, but macOS Sonoma adds support for this feature using both user-pbased enrollment that’s appropriate for BYOD environments and device -ased enrollment for work Macs. (As on iOS devices, users will see their Managed Apple ID as a separate account.)

Apple is also making the process of implementing both types of account driven enrollment simple for MDM vendors. So IT staffers should see a relatively smooth adoption process.

Along with improving the enrollment options, Managed Apple IDs will get more management capabilities. There are two major additions. The first is to control which types of managed devices a user is allowed to access: any device regardless of ownership, only managed devices enrolled via MDM, or only devices that are Supervised. Supervised devices are company-owned and have stringent management controls. 

The next biggest of these features is the ability to control which iCloud services a user can access on a managed device. Each sync service can be enabled or disabled for a user’s Managed Apple ID. This doesn’t stop the user from using an associated app, but it prevents that app from syncing. If Calendar or Reminders access to iCloud is disabled, the user will will still be able to enter events and create lists, but they will remain only on the device.

Finally, administrators can restrict Messages and FaceTime calls to only organization owned/managed devices or disable each feature entirely.

Sign in with Apple at Work and School is being streamlined in that Sign in with Apple will let users decide whether to sign in using their personal or Managed Apple ID, depending on the resources they need to access.

Putting all of these announcements together, Apple’s focus on enterprise identity this year means new security options that are easy to implement and use. From an IT perspective, Apple has made multiple new security choices available and it significantly improved others. For users, it’s made the process of using managed devices so much like using personal devices that the experience is seamless.

This is a win-win.

The move also links user, identity, and device management into a single framework that leverages multiple cloud aspects of Apple device management, including Apple Business (or School) Manager; your enterprise identity manager of choice; traditional MDM and other vendor offerings; and iCloud. It’s a shift that highlights Apple’s ongoing investment in becoming a services as much as a hardware company. Indeed many of these additions parallel the consumer-focused services that Apple already offers, most notably iCloud.

This enmeshment of services that straddles both the enterprise and consumer spheres will be a positive in more organizations and with most users. Apple has strived for simplicity, but determining how these new pieces fit into an organization’s IT puzzle will still require thoughtful consideration. All in all, however, Apple is proving itself as a valuable enterprise services company.

http://www.computerworld.com/category/security/index.rss