Apple kicked off the annual WWDC conference yesterday and boy there was a flurry of information. There always is, but for people charged with managing Apple devices and vendors that support Apple devices there were some important releases. Some general themes to think about as you read through this list:
- Privacy is a thing. This includes securing files in the directories of a user by having the user accept a request to touch them (e.g. My Documents, er, I mean, Documents). This also means apps harvesting user data are doomed. The restrictions continue to flow in from iOS to the Mac. And that’s probably a good thing – as it helps keep people from getting taken advantage of. Because a global interconnected world has meant that crappy people are still crappy.
- Kexts are not a thing. Touching the kernel means a third party developer can pretty much do anything they want. That’s just not cool any more. So System Extensions are more controllable and now we’ll have a System Preference pane to manage them. So long live Extension Manager! Behind the scenes Apple developer relations is obviously looking at everything that requires a kext (security and network were on this years list) and trying to build legitimate frameworks that make those features work better and reduce the risk that developers without real Apple domain expertise will cause a poor user experience on a Mac.
- The age of federated identities is upon us. ASWebAuthentication came in 10.14. ASWebAuthenticationSession joins us in 10.15. Not every OpenID Connect, SAML, or OAuth 2 flow is supported, but it’s new and the people building those frameworks are clearly gaining the domain expertise to allow us to federate identities across apps. Might we some day see a pane in the System Preferences for a user’s identity like we do for other Accounts?
- Apple is playing better in the office. Managed Apple IDs, a federated ID for all your Apple assets, getting access to files on file servers for iOS, more documentation that organizations are asking for. This isn’t to say every enterprise will be happy. But the ones that believe in the same thing Apple developers believe in likely will. And that’s an important philosophical difference between trying to please all the people all the time.
- “There’s an app for that” has meant that every small utility you can think of gets its own app. Many of these are web apps with a slimmed down GUI experience built just for iOS platforms. Apple is clearly showcasing those that build different, great user experiences for different platforms. I just hope we don’t see some of the sub-par user experiences for iOS eek their way into crap-tastic software for the Mac. You have a lot more horsepower, a lot more screen real estate, and a lot more frameworks to call upon; use them.
- iPadOS. Rather than moving to bring platforms together, Apple is clearly sending a sign that they’re OK maintaining watchOS (which is now less of an extension of iOS and more of its own thing), macOS, iOS, now iPadOS, tvOS, and of course bridgeOS. The Mac will continue to see more and more requirements around sandboxing and have less native 3rd party scripting libraries; but at this point it seems clear that macOS is not going anywhere.
For release notes about specific OS advancements, see:
- Official iOS and iPadOS Release Notes: https://developer.apple.com/documentation/ios_ipados_release_notes/ios_ipados_13_beta_release_notes
- Official macOS 10.15 Release Notes: https://developer.apple.com/documentation/macos_release_notes/macos_10_15_beta_release_notes
Changes in macOS
- Activation Lock added to macOS: This means that a Mac can now be turned into a brick if an AppleID is used on the Mac
- MDMs need to escrow Activation Lock Bypass codes using ActivationLockBypassCodeCommand
- The default shell is now zsh but you can still use bash
- Moving from python 2.7 to python3 in Xcode command line tools
- svn removed
- System volume and data volume, meaning Apple-provided apps have all moved to `/System/Applications` which is more fully sandboxed
- New Endpoint Security framework: https://developer.apple.com/documentation/endpointsecurity?changes=latest_minor
- Likely there to reduce the reliance on a kext for security software
- EndpointSecurity system extensions load later than expected so cause certain events during startup to not be caught
- Federated Identities
- SAML in DEP for User Authentication
- New oath library
- OpenID in https://developer.apple.com/documentation/authenticationservices/asauthorizationsinglesignonprovider?changes=latest_minor
- Enterprise iCloud Drive
- System Extensions https://developer.apple.com/documentation/systemextensions?language=objc
- New Kernel Extensions now require a reboot to load (PI 50340461)
- Wish they’d of called the Extensions System Preference pane “Extensions Manager”
- See https://developer.apple.com/videos/play/wwdc2019/714 for more on network frameworks Moar:
- iTunes Broken up into AppleTV app, etc.
- NSURLSessionTasks that use GET HTTP with a body throw an NSURLErrorDataLengthExceedsMaximum.
- Less stuff in Recovery Mode
- Scripting languages (Python, Ruby, and Perl) now labelled as “legacy software”. “Future versions of macOS won’t include scripting language runtimes by default”
- Use of Python 2.7 isn’t recommended as this version is included in macOS for compatibility with legacy software. Future versions of macOS won’t include Python 2.7. Instead, it’s recommended that you run
python3
from within Terminal. (51097165) - Apps that execute i386 code now fail with the
EBADARCH
error code (all should be 64 bit by now anywho) - The Privacy Preference pane now includes the following privacy keys: File Provider Presence, Listen Event, Media Library, Screen Capture, Speech Recognition, System Policy Desktop Folder, System Policy Documents Folder, System Policy Downloads Folder, System Policy Network Volumes, and System Policy Removable Volumes
- EOL for
kauth
API likely coming in 10.16 - Support for FTP URL scheme is gone (so ftp:// won’t work)
- Support for PAC URL scheme is gone so should use HTTP and HTTPS for PAC files. True for profiles
- SPDY support is removed so must switch to HTTP2 for
URLSession
andNSURLConnection
APIs - Network Kernel Extension API will be deprecated by release time
- Install Profile for macOS 10.15
- 802.1x System SetupMode at the loginwindow now correctly passes credentials
- Bundle (versus binary) packages are either not working properly or deprecated?
- New MacPro and MacPro monitor, the return of rack mount kits
- Can’t write directly to /Library/Preferences/OpenDirectory/Configurations/Search.plist
- New command line options:
- cpuctl: bring CPUs online and offline
- esctl: control endpoint security components
- ping_seedctl: loads the kernel PRNG seed file at /var/db/SystemEntropyCache
- /var/db/ConfigurationProfiles/Store
- Click fatigue anyone. Here’s a single workflow: Setup script automation prompt, Chrome with webauthn prompts for tracking keystroke/accessibility events, Desktop permission prompt, Documents permission prompt, Contacts/Music/Photos prompt, then auth to system preferences and an app is gonna’ crash in there somewhere because it’s burned too many resources waiting. This will get better but for now it kiiiiiinda’ sucks. I’d rather compile a project selecting the full list of warnings on first open for the user (as with installing an OpenID Connect token with pre-defined Scopes).
Changes in iOS
- Dark Mode support
- Support for FTP URL scheme is gone (so ftp:// won’t work)
- Support for PAC URL scheme is gone so should use HTTP and HTTPS for PAC files. True for profiles
- SPDY support is removed so must switch to HTTP2 for
URLSession
andNSURLConnection
APIs - watchOS less tied to a phone
- iOS Restore Images found at https://developer.apple.com/download/#ios-restore-images-iphone-new
- OpenID: https://developer.apple.com/documentation/authenticationservices/asauthorizationsinglesignonprovider?changes=latest_minor
- USB Storage
- Files app gets network storage access so no need to install File Browser
- Changes I don’t really care about but should be mentioned:
- Find my Phone and Find my Friends had a baby called Find My
- Swiping keyboards
- Three finger copy and paste gets a one finger response
- New reminders
- New maps
- Memoji makeup
- Swanky profile pictures in iMessages
- Photo Editing and Video Editing (seriously, no more lens sense flares)
- Music goes straight to your HomePod when you put your phone by it
Developer
- New Mac checkbox for iOS apps (so Marzipan is now called Catalyst because why not)
- SwiftUI more layered (like Angular)
- Quartz Composer is deprecated
- AppleID used to federate access to Apple portals (but not made available to 3rd parties like a standard OpenID Connect App would be)
- WatchOS has an App Store. And new complications. And isn’t exactly tied to an iPhone. Yah…
Changes in MDM Spefication
- My favorite would be the new docs that can be found at: https://developer.apple.com/documentation/devicemanagement
- New DEP Workflows
- SAML: https://developer.apple.com/documentation/devicemanagement/accountconfigurationcommand/command?changes=latest_minor
- User authentication via https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession
- configuration_web_url – a callback
- New GetBootstrapToken and SetBootstrapToken
- DEP screens you can now skip: Appearance, Welcome, PreferredLanguage
- SAML: https://developer.apple.com/documentation/devicemanagement/accountconfigurationcommand/command?changes=latest_minor
- Commands/Keys
- ClearRestrictionsPasswordCommand.Command
- DontAutoPopulatePrimaryAccountInfo
- IsUserEnrollment (better than checking if a cert is on a device)
- LockPrimaryAccountInfo
- PrimaryAccountFullName
- PrimaryAccountUserName
- RefreshCellularPlans
- SecureBoot (T2 or no)
- SecurityInfoResponse.SecurityInfo.SecureBoot updated
- https://developer.apple.com/documentation/devicemanagement/clear_the_restrictions_password?changes=latest_minor
- https://developer.apple.com/documentation/devicemanagement/get_bootstrap_token?changes=latest_minor
- VPP downloads from MDM server can cause an authorization dialog to appear on the client even if the client is doing device-based VPP.
- Apple School roster supports federated AppleID?
- Profile changes:
- App Lock: Disable the ability to, er, um, disable. Also manage voice control settings.
- Certificates: Restrict exporting (which actually works now).
- Content Caching: Disable alerts and restrict cache removal.
- Dock: Set double-click behavior to maximize, minimize, or do nothing. Set Show recents to disable changing the recently used items list. Set Window tabbing to manual, always or full screen.
- Exchange ActiveSync: We get OAuth 2 as an option! Disable calendars, contacts, mail, notes, and reminders if you want to selectively deploy EAS accounts.
- Menus: https://developer.apple.com/documentation/devicemanagement/managedmenuextras
- Privacy: Added File Provider Presence, Listen Event, Media Library, Screen Capture, Speech Recognition, System Policy Desktop Folder, System Policy Documents Folder, System Policy Downloads Folder, System Policy Network Volumes, and System Policy Removable Volumes
- Network: Force SIM cards
- Restrictions: New keys to remove Find My app, add Wi-Fi Power Modification (further preserving that battery life)
- SSO: New profiles configure SSO providers (Associated Domains connect apps and domains with a given URI for SSO): https://developer.apple.com/documentation/devicemanagement/extensiblesinglesignonsso
- Software Update: Force automatic installation of macOS and app updates.
- VPN configuration: A few new settings including not being able to export certs, tunneling at the packet level and tunneling over local networks.
- Wi-Fi: Added WPA3
tvOS
tvOS didn’t get a lot of love this year. But it did recently enough that there’s no reason to be concerned:
- AVFoundation now supports encoding video with alpha channels using HEVC
CAMetalLayer
is now in the Simulator
Apple Remote Desktop
How is ARD still getting updates that don’t include tunneling to remote clients? Well, now we can export computer lists to an encrypted archive and move them (with passwords!). And there’s a security tab in the preferences for improving auth. And Touch Bar support. Because that’s still a thing. Oh and Assistance cursors in the custom toolbar. Computer lists and their credentials can be exported to an encrypted archive and restored to other computers.
Podcasts!
We also did a MacAdmins Podcast Flashcast, which is available below.
Or stream audio!
It’s worth mentioning that my perspective is very much around device management. People who write software for audio and video will have a very different list. People who got Sherlocked yesterday will probably be drunk in an alley behind a bar so have… no list. Yet. They built a great product once. They can do it again. When they sober up. Or before. Dostoyevsky would be proud.