Still sniggering at that $999 monitor stand? Apple just got serious about the enterprise
Azure Active Directory integration and super secret APFS volumes? Oh my
WWDC Amid the hoo-ha surrounding Apple's WWDC announcements were some nuggets aimed at encouraging enterprises to get snuggly with the fruity firm's devices.
Sure, every other hipster likes to carry a MacBook around (the other half can be found complaining about their Surfaces), but Apple has yet to make much of an impact in the enterprise as far as macOS is concerned.
iPhones, however, are a whole different ball game, and though Apple's mobile cash cow no longer tops the charts, the things are popular with employees and the inherently locked-down nature of the devices is appealing to big biz.
While many were rejoicing at Apple's "invention" of the swipe keyboard and courageous decision to allow external storage to be plugged into its widgets, the firm quietly introduced three features aimed squarely at those managing fleets of its devices.
Managed Apple IDs and Azure AD, sitting in a tree, F-E-D-E-R-A-T-E-D
With Apple having determined that users will use their Apple IDs, to the point of forcing devs to use it as a login option as a shot across the bows of Google and Facebook, the company has also recognised that administrators may want to create and manage work Apple IDs for employees.
This is all well and good, but what will get admins into a tizzy is the arrival of Microsoft Azure Active Directory integration in the (northern hemisphere) autumn, meaning Apple IDs will be dynamically created when needed, thanks to the joy of federated authentication.
Those charged with inflicting iThings on educational establishments may well be nodding in recognition: federated authentication with Microsoft Azure Active Directory arrived in Apple School Manager a few months ago. Now Cupertino is turning its gaze to the enterprise realm.
Once Apple Business Manager has been hooked up to an instance of Azure Active Directory, a user can use their AD credentials to sign into iPad, Mac or (if they are particularly masochistic) Apple's Google Drive also-ran, iCloud on the web.
And, of course, users will follow the same security policies thanks to that federated corporate ID.
With an eye on the Bring Your Own Device (BYOD) sector, Apple is bringing data separation to iOS in the form of User Enrollment. While the company has been pushing its Device Enrollment Program (DEP) to lock machines into Mobile Device Management (MDM) in order to keep configurations under control, the sentence "Your users' devices are also locked in MDM for ongoing management" from the company's DEP guide is enough to strike fear into any BYOD user.
Apple has been taking steps to be a little more BYOD-friendly with services such as last year's Apple Business Manager. Some third-party MDM platforms allowed users to opt-in their devices to get access to corporate email and calendars while blocking prying eyes from personal data.
User Enrollment will take this a step further, integrating a Managed Apple ID (see above) to establish an identity on the device and allow the user to enroll. It'll be a case of download a profile, hit "Enroll" in Settings and then sign in with that Managed Apple ID.
The key thing here is that the Managed Apple ID co-exists with the user's own personal Apple ID – the two don't interact, and the user can get to personal and work data without worrying that their own data might get wiped.
Under the hood, an entirely separate APFS volume is created for managed accounts, apps and data on the iThing, cryptographically separated from the user's own business.
Per-app VPN functionality keeps user and enterprise data split while connected to other networks. And, of course, un-enrolling the device from MDM will destroy that extra volume.
iDevices with limited storage probably need not apply.
However, Apple is hardly the only game in town. Google has been inflicting Android management functions on enterprises for over four years, with the Android at Work initiative designed specifically to keep user data and business content apart via dedicated profiles. But Apple has certainly upped the ante somewhat in the BYOD stakes.
Apple's final tilt at enterprise administrators comes in the form of a single sign-on extension aimed at developers. Assuming coders pick up and use the thing (and let's face it, with Apple's draconian developer rules, they'll likely have to) and an admin has configured MDM, native apps and websites will authenticate the user automatically.
The extension will support iCloud Keychain, Per-app VPN, multi-factor authentication and user notification. So yes, Face ID and Touch ID.
Those charged with managing Apple's pricey hardware may well recognise some of its enterprise-friendly features from existing third parties. For example, Jamf already makes quite a good fist of binding the firm's gadgets to Active Directory.
However, by shovelling so much aimed at enterprises into its operating systems, with some help from best buddy Microsoft, Apple has put forward its strongest case yet that its machines are no longer so special that administrators need recoil in horror at managing them. ®