iOS 10 will be released today, and you can expect most users to upgrade their iPhone and iPads within weeks. Google released Android 7.0 Nougat on a handful of devices in late August, but it'll be months before it's running on a meaningful number of smartphones and tablets. And MacOS Sierra, which will be released on Sept. 20, has several enhancement for its management policies. (Remember, since 2011's OS X Lion, Macs and iOS devices can be managed from the same servers.)
Nonetheless, with iOS 10's release today, it makes sense to update your mobile management approaches to account for these operating systems' changes.
What iOS 10 does that IT should know
Apple actually made more changes to iOS management in its iOS 9.3 update earlier this year than it has in iOS 10.
For supervised devices, iOS 9.3 gave IT control over the home screen layout, the ability to hide and thus block blacklisted apps that users may have downloaded (not merely prevent their downloads, as in the past), configure notifications to keep sensitive data out of them, force devices to report their location if lost (even if users have deactivated location services), and -- for devices managed from your mobile management server through Apple's Device Enrollment Program -- both enforce activation lock on the device and override it the activation lock if necessary.
iOS 10 adds a new management policy that lets IT set the default app for audio calls for contacts in corporate-managed directories. iOS 10's CallKit API lets third-party apps directly handle audio calls, fully integrated with iOS features like notifications and raise-to-answer. The related management control lets IT ensure that only approved apps can take calls to and from business contacts. This can be especially relevant if you require BYOD users to go through a second-line or VoIP app for work so that your business customers and partners are accessing your number or address, not your users'.
iOS 10 enhances support for IKEv2 VPNs. It now supports EAP mode, which many organizations require to enable VPN access. As a result, iOS devices can now access such VPNs, assuming you allow VPN usage from them in the first place via management policies.
The other changes to iOS 10 don't involve mobile management policies, but IT should be aware of how they work to get the desired level of security:
- Universal clipboard: iOS 10 devices and Macs running MacOS 10.12 Sierra automatically sync their clipboards (for text, images, and more) if they are signed into the same iCloud account. iOS's management APIs let you restrict data copying from and to corporate apps, a capability for which management servers such as MobileIron's provide additional controls. The new universal clipboard should pose no extra risk of data leakage.
- Raise-to-wake lock screen: iOS 10 now shows notifications in an iPhone's lock screen when the user raises it, not waiting for a user to activate the screen. If you don't already manage notification display to exclude sensitive information, you should now.
- Auto-unlock of Macs: WatchOS 3, released today with iOS 10, can unlock a user's Mac (if running MacOS Sierra) automatically via Bluetooth when it comes within 10 feet of the Mac. But don't worry that someone could steal a user's Apple Watch to bypass the password on their work Mac: The unlock works only as long as the watch remains on the user's skin; once taken off, the user must unlock the Apple Watch with its PIN code and in turn unlock the Mac (or do anything else but tell time).
What MacOS Sierra does that IT should know
Also, MacOS Sierra gains several new management policies, bringing it more in line with iOS devices. For you to apply these policies, the Macs must be enrolled in the Device Enrollment Program.
MacOS Sierra gains controls over a variety of Apple services: IT admins to apply policy restrictions to Apple Music, iCloud Keychain sync, iCloud photo library, Back to My Mac, Note sharing, and Find My Mac.
A new payload lets IT configure the Mac's IP firewall. But perhaps the most critical new capability lets IT force updates to MacOS via their mobile management server.
What Android Nougat does that IT should know
Like iOS 10, Google's Android Nougat has a few changes. They include:
- Always-on VPN: A new mobile management policy can force specified corporate apps to use a VPN. If a VPN isn't available or can't connect, the apps won't work or share data.
- App-specific access controls: IT can require separate, complex passwords for individual corporate-provisioned apps. IT can also set lock restrictions for specific apps. And IT can choose distinct login screens so that users visually know when they're logging into corporate services.
- Work-profile enhancements: IT can suspend access to corporate apps without removing a user's work profile, such as when a user is on vacation or taking a leave of absence. When IT deletes a work profile, the encryption key is now also deleted to reduce the chances someone could access any residual data. Users gain a new control to disable all work-related apps after-hours or when they don't want to be distracted.
- Multiple Wi-Fi certificates: IT can set up corporate Wi-Fi networks profiles with multiple certificate authorities -- no longer only one -- to ensure employees have access across all office locations.
- Data limits on apps: IT can set data-transfer limits on corporate apps to help reduce battery power through reduced radio usage.
- Incoming-call access to corporate contacts: Nougat lets a user's personal phone dialer or messaging app access corporate directory contacts to identify who's calling or messaging. For example, an HR admin trying to call an employee on his or her personal number is now identified to the employee, though that employee may not have the HR admin's number in his or her personal contacts list.