What’s new for enterprise in Apple’s iOS 11.3
iOS 9.3 and 10.3 were the releases where Apple introduced most of the changes/enhancements to managing iOS devices in enterprise, and it looks like that pattern is continued with 11.3. Below are some of the interesting ones, but as always this is based on BETA releases so not all features may make it into the final release.
A long-requested enterprise feature, this Restriction will prevent users of Supervised devices from seeing or installing iOS updates for between 1 and 90 days.
Unmanaged apps (that is, apps NOT installed via MDM, typically users’ personal apps) will no longer be able to access contacts in Managed email accounts. This will prevent, for example, Whatsapp reading contacts from the corporate email account that has been deployed to the device by MDM. This is a very common enterprise request and is yet another nail in the coffin of containerised email clients on iOS devices.
iOS 11.3 will allow storing Messages to iCloud and syncing them between all a users’ devices. This may pose some organisations challenges if Messages are used to conduct business purposes – these could now end up on the users’ personally owned devices, and visa-versa where Messages from personally-owned devices could end up on company-owned devices, potentially triggering a privacy/GDPR concern. On the plus side, syncing Messages to iCloud should make it much easier to move users from old to new devices without having to do a full device restore.
USB Restricted Mode is a security feature requiring users to enter their pass-code or reconnect the accessory while the device is unlocked at least once a week, or the accessory will no longer function when the device is locked. This can be problematic for COSU devices in retail setups for example, so this new Restriction allows disabling USB Restricted Mode on Supervised devices.
The InstalledApplicationList MDM command returns a list of apps installed on devices, it now returns these additional pieces of information about each app – AppStoreVendable, DeviceBasedVPP, BetaApp, AdHocCodeSigned and HasUpdateAvailable. DeviceBasedVPP allows MDM solutions determine if an app is using a device-based VPP licence, which should make it easier to roll-out this feature reliably. HasUpdateAvailable should greatly enhance the implementation of enterprise app stores by the MDM vendors, which can currently be unreliable and error-prone when it comes to displaying to users which apps need to be updated.
Bluetooth can now be turned on or off over-the-air on Supervised devices. Note there is already a Restriction that prevents a user from changing the current Bluetooth status from on to off and visa-versa, this new function actually allows turning on or off Bluetooth, similar to how roaming can be turned on/off over-the-air.
Arranging apps on the Home Screen was already possible, this has now been extended to Web Clips.
The ScheduleOSUpdate MDM command is used to push an iOS update on Supervised devices. From iOS 11.3 onwards it will be possible to specify the specific version of iOS the device should upgrade to. Presumably the existing restrictions around which versions of iOS a device can update to will still apply.
The InstallApplication MDM command is used to push app installs to iOS devices and will now be able to force the re-install of system applications as well the enterprise and App Store apps it could already handle.
Proximity Setup allows a user quickly setup a blank device by syncing settings and data from their old device by holding them near each other and allowing a direct transfer. MDM solutions now have the ability to prevent Proximity Setup from being used with a device that is about to be wiped.
The Device Enrolment Programme (DEP) allows skipping certain screens during the setup wizard of new devices, the Privacy screen can now be skipped also.
Allows an organisation specify a white-list of Apple TVs that the Remote app on a given iOS device is allowed to control
It is currently possible to setup an Always-On VPN from iOS devices to route all traffic down the tunnel except specific services, such as VoiceMail and AirPrint. This new option allows cellular services such as MMS messages to also bypass the VPN.