Additional iOS policies
On devices running in supervised mode -- that is, those issued by a company preconfigured, the familiar BlackBerry approach -- there are now APIs for policies on whether users can change account information, whether users can change entries in the Find My Friends app (such as to only track specific colleagues in a workgroup, and to prevent employees from making themselves invisible if their location is being tracked), whether apps may use cellular data or not, whether devices can pair to other Macs, and define allowable services (such as copy or paste) for text selections.
Setting a device to supervised mode no longer requires physically connecting it to a PC or Mac running the Apple Configurator tool; supervision can now be set up at purchase and managed over the air.
For any iOS device, new API restrictions include controls over ad tracking, iCloud Keychain syncing (the unified website password cache shared across all devices on the same account), over-the-air PKI updates, and whether the Wi-Fi and Airplane Mode buttons appear on the lock screen.
Also for all devices, MDM servers can now query whether the mobile hotspot function is enabled (to make the device a Wi-Fi access point for other devices, so they can share a cellular connection), whether Do Not Disturb is active, whether Find My iPhone is enabled, and whether an iTunes account is signed in. New controls include setting a custom lock screen, putting a device in lost mode (so its lock screen displays "if you find me" information), and disabling the hotspot feature.
Device enrollment without touching the device
In addition to these APIs, Apple has created a new protocol for enrollment of supervised devices, so a business can provide iPhones, iPads, Macs, and even Apple TVs preconfigured with the business's policies -- without having to open the box or touch the hardware. Essentially, IT enters the device IDs supplied from the purchase order into an enrollment tool, specifies the policies that apply (such as passwords, allowable networks, VPN settings, app blacklists, and iCloud and iTunes access). Note that this new device enrollment service is only for corporate-owned (supervised) devices, not BYOD ones owned by users.
When a user opens the box and starts up, the device checks into the Apple server, which relays that it is a managed device and refers the device to the business's management server. The user is asked to sign in using their corporate credentials or separate credentials provided by the company. Upon user login, that corporate server or MDM tool uploads the XML policy payload to the device, which configures it and directs the device to auto-install any apps associated to that user.
If a user wipes the device, the policy payload remains, so it can only be used within those corporate settings unless IT frees the device from the policies (such as when it sells the device to a departing employee) or applies a new set of policies (such as when shifting the device to another user). When policies are updated, so is the device -- automatically and silently.
This new device enrollment also does not require the user to have an Apple ID, though the company can allow the user to access personal apps and other services using a personal Apple ID stored on the iOS device or Mac, not in the company server. Thus, the user's Apple ID is not shared with the business (its hash is stored at the business, so the Apple servers can anonymously associate the corporate users to the user devices). That means personal and corporate information, apps, and even identifiers are kept separate on the same device.
Managing app configuration, state, installation, and revocation
A new MDM-managed capability is called App Configuration and Feedback, which lets IT configure a managed app's settings via a configuration profile (called a dictionary) and check the configuration state and at each launch or unlock, as well as poll for error messages and usage statistics to aid in troubleshooting. This should help corporate-provisioned apps work as IT intends once installed and help IT support understand a user's app settings in case of a trouble ticket.
The new app-requested single-app mode lets an app take over the device, not allowing other apps to run. Use cases include kiosks in stores and use of iOS devices for single purposes such as for poll-takers or patient registration. An MDM server can enable or disable this mode, so apps can be in single-app mode for a specific period -- such as a testing or lesson app in a school.