iOS 11.3 is now on its third BETA version and based on previous x.3 releases is likely to be available to users towards the end of March. iOS 9.3 and 10.3 were the releases where Apple introduced most of the changes/enhancements to managing iOS devices in enterprise, and it looks like that pattern is continued with 11.3. Below are some of the interesting ones, but as always this is based on BETA releases so not all features may make it into the final release.
Delay the ability to see and install iOS updates for up to 90 days
A long-requested enterprise feature, this Restriction will prevent users of Supervised devices from seeing or installing iOS updates for between 1 and 90 days.
Prevent unmanaged apps from accessing contacts in managed accounts
Unmanaged apps (that is, apps NOT installed via MDM, typically users’ personal apps) will no longer be able to access contacts in Managed email accounts. This will prevent, for example, Whatsapp reading contacts from the corporate email account that has been deployed to the device by MDM. This is a very common enterprise request and is yet another nail in the coffin of containerised email clients on iOS devices.
Messages in iCloud
iOS 11.3 will allow storing Messages to iCloud and syncing them between all a users’ devices. This may pose some organisations challenges if Messages are used to conduct business purposes – these could now end up on the users’ personally owned devices, and visa-versa where Messages from personally-owned devices could end up on company-owned devices, potentially triggering a privacy/GDPR concern. On the plus side, syncing Messages to iCloud should make it much easier to move users from old to new devices without having to do a full device restore.
Disable USB Restricted Mode
USB Restricted Mode is a security feature requiring users to enter their passcode or reconnect the accessory while the device is unlocked at least once a week, or the accessory will no longer function when the device is locked. This can be problematic for COSU devices in retail setups for example, so this new Restriction allows disabling USB Restricted Mode on Supervised devices.
The InstalledApplicationList MDM command returns a list of apps installed on devices, it now returns these additional pieces of information about each app – AppStoreVendable, DeviceBasedVPP, BetaApp, AdHocCodeSigned and HasUpdateAvailable. DeviceBasedVPP allows MDM solutions determine if an app is using a device-based VPP licence, which should make it easier to roll-out this feature reliably. HasUpdateAvailable should greatly enhance the implementation of enterprise app stores by the MDM vendors, which can currently be unreliable and error-prone when it comes to displaying to users which apps need to be updated.
Enable and disable Bluetooth
Bluetooth can now be turned on or off over-the-air on Supervised devices. Note there is already a Restriction that prevents a user from changing the current Bluetooth status from on to off and visa-versa, this new function actually allows turning on or off Bluetooth, similar to how roaming can be turned on/off over-the-air.
Arrange WebClips to the Home Screen Layout payload
Arranging apps on the Home Screen was already possible, this has now been extended to Web Clips.
The ScheduleOSUpdate MDM command is used to push an iOS update on Supervised devices. From iOS 11.3 onwards it will be possible to specify the specific version of iOS the device should upgrade to. Presumably the existing restrictions around which versions of iOS a device can update to will still apply.
The InstallApplication MDM command is used to push app installs to iOS devices and will now be able to force the re-install of system applications as well the enterprise and App Store apps it could already handle.
Skip the Proximity Setup screen on first reboot after using the EraseDevice command
Proximity Setup allows a user quickly setup a blank device by syncing settings and data from their old device by holding them near each other and allowing a direct transfer. MDM solutions now have the ability to prevent Proximity Setup from being used with a device that is about to be wiped.
Skip the Privacy screen during setup
The Device Enrolment Programme (DEP) allows skipping certain screens during the setup wizard of new devices, the Privacy screen can now be skipped also.
Restrict the Remote app from connecting to specific Apple TV devices
Allows an organisation specify a whitelist of Apple TVs that the Remote app on a given iOS device is allowed to control
Allow MMS messages bypass Always-On IKEv2 VPN
It is currently possible to setup an Always-On VPN from iOS devices to route all traffic down the tunnel except specific services, such as VoiceMail and AirPrint. This new option allows cellular services such as MMS messages to also bypass the VPN.
Chief Technology Officer