Single sign-in and unified passcode policies
iOS 7 and OS X Mavericks unify storage of and access to sign-in keys, using what's called the shared keychain, so they can be used by multiple apps and managed via an MDM server. In previous versions of iOS, the internal dev team at a company could use a shared keychain for single sign-in to corporate apps. A developer with a suite of apps could do the same for that suite.
The new Kerberos-based single sign-on facility lets IT federate these shared keychains as well as single apps' keys, so a common login can unlock all the apps whose passwords have been federated. That single sign-in key is stored by iOS, not by the apps, and managed by your own management server. Most apps don't need to be recoded to be compatible with single sign-in. But deploying the single sign-on does mean work for IT to make the Kerberos key facility accessible through a VPN rather than over the Internet, notes MobileIron's Rege.
OS X Mavericks' passcode policies are now identical to those in iOS 7, so IT can stop worrying about the implementation implications of minor differences in previous versions.
AirPlay, AirPrint, and font management
In iOS only, a new API allows an MDM server to force mirroring to an Apple TV or other AirPlay destination, such as for an iPad used as a kiosk device. iOS devices' policy payloads can also contain whitelists of allowed AirPlay devices and their passwords, so a company can configure managed devices to automatically connect to corporate conference rooms' Apple TVs without revealing the access passwords to users. Likewise, you can configure allowable AirPrint destinations (meaning printers).
In both iOS and OS X, policies can now install fonts onto devices, such as to ensure corporate identity consistency.
Per-app VPN and Web content filtering
The new facility in iOS and OS X lets corporate-provisioned apps establish a separate VPN connection, so businesses don't have to worry about a user opening a device-level VPN connection and having any app running take advantage of it. This also ensures that personal apps' data don't go through the corporate VPN, as happens when a device-wide VPN connection is in use. In iOS, the apps need to be configured via a policy to use per-app VPN when they are installed; they can't be so configured after the fact. Also, your VPN needs to support the per-app feature, so check with your VPN vendor about iOS 7 compatibility, Rege notes.
In iOS only, policies are now available for managing Web content filtering.
Wi-Fi Hotspot 2.0
Both iOS and OS X support the Wi-Fi Hotspot 2.0 standard (aka Passpoint), which is based on the IEEE 802.11u standard and essentially allows automatic roaming across hotspots for those that you have a service subscription for. The new Apple APIs allow its configuration and management.
Encryption management in OS X
Since version 4.2, iOS has always been encrypted at the device level, and there are no controls to disable that encryption. By contrast, use of device encryption (aka FileVault) is optional in OS X. OS X Mountain Lion introduced policies to enable encryption as part of a policy payload, and OS X Mavericks extends that control further. IT can now prevent encryption from being turned off through policies and manage the encryption recovery keys directly. The keys can be managed via a corporate server's key escrow, instead of through Apple's own key server. The institutional recovery key can now be rotated at IT's preferred schedule, via an MDM tool.