Apple Deployment Programs Updated

These are my notes from WWDC 2017 session "What's New in Device Configuration, Deployment, and Management" They can seem quite scattered. I did want to share them and provide a reference for myself other than Evernote.


Apple TV - now be enrolled in Device Enrollment Program

Add Personally Owned Devices to DEP

  • Add devices purchased outside of supported channels to DEP
  • Devices with iOS 11 or tvOS 11
  • Apple Configurator 2.5

Requires Supervision and MDM is mandatory.

  • When you add a device to DEP, it erases the device
  • 30-day provisional period - provisional period starts when the device is activated
  • User can remove the device from DEP during the Setup Assistant or Settings (within the 30 days)
  • Both during and after the provisional period all DEP features are available

In Apple Configurator 2, when selecting “Prepare” - option to add device to Device Enrollment Program


  • Unsupervised is deprecated
  • Optional MDM is deprecated

Apple School Manager



Security enhancements for MDM

  • In iOS 10.3, Certificate partial-trust was enabled for manually installed certificates and certificate  profiles
  • A certificate has partial-trust for all purposes except for SSL
  • Automatic installation: Full trust
  • Manually installed then it receive partial trust at first. The users can go to Settings -About-Certificate Trust Settings and enable full trust. This provides an appropriate additional warning.
  • If a certificate is manually installed by a profile and contains an MDM payload then that certificate is given full trust


In 2018, MDM’s will require “App Transport Security" (ATS) - set of security requirements for secure communication.

  • ATS requires additional security protocols to enhance security communications
  • If ATS is not supported by MDM then the client will refuse to communicate with it

In 2018 APNs Service tokens will increase in size. MDMs must support up to 100 byte APNs tokens


  • Certificate pairing - checks the server URL and for the check-in URL
  • Hard revocation checking of pinned certificates - trust evaluation fails if the device can not get a positive response from the Revocation server for any reason

Best practices for Admins

  • Shared iPad - Enable diagnostics submission command
  • Shared iPad - User storage quota on APFS - A user quote sets a maximum amount of users that can store data on the device. Ensures users are not consuming too much space which would crowd out other users - The upgrade to iOS 10.3 the storage quota was disabled - require admins to enable storage quota 

* User profiles command line tool for startup profiles - in the man page for “profiles” command

Troubleshooting Tips

  • Get logs using Console or Apple Configurator 2
  • For iOS filter the logs by:
  • Profiles and certificate installation: profiled
  • Restrictions: profiled
  • MDM: mdmd, dmd
  • Apps: mdmd, mdm, appstored (installs and removes apps), itunesstored( (if the apps come from iTunes)

macOS - don’t filter results by processes but by subsystem


Apple School Manager

VPP integrated in Apple School Manager

  • Integrated, updated UI
  • Easier management of purchases
  • License transfer between locations. Content managers will no longer need to share credentials

VPP in Apple School Manager - purchases associated with location

  • Content Managers buy for location
  • Single token needed for each location
  • Content Managers manage all licenses at location

Licenses can be transferred from one location to another

  • Apple School Manager now shows number of available licenses
  • Available licenses that are currently available and not assigned can be transferred - licenses already assigned can not be transferred - must revoke licenses to transfer

Release of new VPP features later this summer


  • Enterprise apps can be installed
  • Managed app configuration


The enrollment and app profiles take a significant amount of Wi-Fi resources

  • To solve - new option for all MDM commands allowing the admin specifying the device can be connected to a wired network like Internet Sharing or USB or an ethernet connection to perform a command
  • Combined with “Content Caching” in macOS should improve the setup experience for iOS

MDM already has the ability Have to install software updates on DEP devices without a passcode
Added support:

  • Passcode locked Supervised devices
  • Non-DEP Supervised devices
  • Preserve data plan when erasing devices
  • The deletion of system app removal

Data Protection

  • Join only Wi-Fi networks configured by policies
  • Exemption of carrier profiles (Supervise)
  • Diable users from creating their own VPN (Supervise)
  • Exchange and mail - Control S/MIME signing and encryption independently

Classroom Manager for Supervised devices

  • Unprompted screen observation
  • Unprompted app and device lock
  • Automatic joining of classes


  • Custom port
  • Require TLS
  • Disable iBeacon discovery for printers (Supervise)
  • Disable AirPrint credentials being stored in Keychain
  • Disable AirPrint


  • DNS proxy extension (Bundle ID) (Supervise)
  • Internet Protocol version(s) for cellular connections



  • System Migration Payload can be configured to select customer migration paths from Windows to Mac
  • Smart card configuration
  • Ability to provide a default configuration for any 802.1x Ethernet config for ports that do not have an explicit configuration
  • Software update delay for up to 90 days (Supervise)
  • Deferred updates query info (Supervise)


  • Firmware passwords are analogues to Activation Lock on iOS
  • The Firmware password can be completely managed using an MDM server
  • Admin can set password
  • Query password status
  • Verify password
  • Must restart is required when Firmware password is changed

Account Management

  • Querying List of Users
  • Delete user accounts
  • Unlock user accounts

Data Protection

  • New Extensions payload can used to configure white and black lists of extensions
  • Disable all extensions
  • Query active extensions for a user
  • Escrow FileVault personal recovery keys to a custom server
  • Recover recovery key using MDM server
  • Disable iCloud desktop and documents


  • Erase device (using Configurator or MDM)
  • Enroll Apple TV into DEP
  • Specify TV name
  • Modifying TV Name
  • Show/Hide apps
  • Home Screen Layout

Conference Room (Supervise)

  • Display custom message on screen
  • Restrict users to only access Apple TV to share their displays
  • AirPlay Security - 1 time passcode, passcode each time, a custom passcode

Kiosks and Dashboard

  • Single App Mode
  • Disable remote app pairing
  • Disable AirPlay

iOS, macOS, tvOS - Shared

  • VPN IKEv2, Wi-Fi-min/max TLS versions
  • Installed app list consistent
  • Restart (Supervise)


  • Activity continuation
  • Universal Clipboard
  • Dictation
  • Smart punctuation
  • Classroom screen observation

Restriction starting in 2018 - only enabled for Supervised

  • App installation
  • App removal
  • FaceTime
  • Safari
  • iTunes
  • Explicit content
  • iCloud documents and data
  • Multiplayer gaming
  • Add GameCenter friends

Tools Update

  • Apple Configurator 2.5
  • Profile Manager in Server 5.4
  • Classroom
  • Content caching
  • Roster Simulator

Classroom 2

  • Teacher created classes
  • Document transfer between teacher and student
  • Mute devices

Classroom 2.1

  • Managed class behavior for teacher-created classes on supervised devices
  • Student activity view

Caching Service is no longer relegated to the macOS Server

  • “Content Caching” is built-in to macOS 10.13 High Sierra

Tethered caching UI

  • Introduced in Spring 2017 with macOS 10.12.4
  • Consists of the three main pieces
  • It provides a wired internet connection to all connected iOS USB devices
  • Provides “Content Caching” service on the Mac
  • Funnels all network traffic from the tethered devices through the “Content Caching” service when downloading catchable Apple content

To enable this feature:

In System Preferences click “Sharing”.

Click “Content Caching” currently only on macOS 10.13 Beta.

Select “Share Internet Connection” which states: Share this computer’s Internet connection and cached content with iOS devices connected using USB.

Clicking "Options" provides a UI that is similar to what is found in macOS Server


iOS devices can be plugged in any time during the process

When an enrolled MDM iOS device becomes tethered it automatically checks-in to the MDM server to check if there are any commands to process
If a command requires the network it will use the USB interface instead of Wi-Fi
USB and Wi-Fi connections are required to process the download command
The asset needs to download from the internet and then is pushed to the device via USB  

Questions I had regarding "Content Caching" is once the content is cached then Wi-Fi is no longer used?
Is Wi-Fi required for the first download to begin of the app? What about subsequent downloads?