Deploying Apple Devices

Ivanti Neurons for MDM supports management for all your Apple devices. It is a comprehensive solution to provision, manage, update, and secure your fleet providing the end user with the best user experience.

This section contains the following topics:

• Installing your Apple MDM certificate

• Enrolling Apple Devices

• Ivanti Go for iOS Client

• Managing Applications for Apple Devices

• Managing Configurations

• Managing Software Updates

• Setting up iOS/iPadOS Devices

• Setting up watchOS Devices

• Supported device actions for watchOS Devices

• Setting up visionOS Devices

• Supported device actions for visionOS Devices

• Setting up macOS Devices

• Setting up TvOS devices

• Support for Declarative Device Management

Installing your Apple MDM certificate

To manage Apple devices, start by requesting and installing an Apple MDM certificate to manage iOS devices. Renew the Apple MDM certificate once a year. (The Apple account used for creating the certificate receives a notification from the Apple site when the expiration date approaches.) Use the MDM Certificate page to add or renew this certificate.

Follow steps described in Install MDM Certificate

Enrolling Apple Devices

You can choose any one of the following method to enroll devices:

• Automated Device Enrollment

• Apple School Manager

• Apple Configurator

Ivanti Go for iOS Client

The next step is to select the enrollment type that your company allows for your devices. Ivanti Neuros for MDM currently supports:

• Device Registration (iOS, macOS, and Android)

• User Enrollment with Apple Business Manager

• Account driven User Enrollment

• Settings (Apple)

Managing Applications for Apple Devices

The App Catalog page in Ivanti Neurons for MDM serves as an interface for administrators to govern their app catalog efficiently. This functionality encompasses the orchestration of mobile applications available to end-users, spanning both public app stores and those earmarked for distribution through Ivanti Neurons for MDM.

Supported Apps:

The App Catalog page aggregates various types of apps, including Public AppStore apps, Custom Apps, in-house developed apps, AppConnect-enabled apps, GoClient for iOS, and M@W for macOS, streamlining the importation process for subsequent configuration and distribution.

On devices operating under Mobile Application Management (MAM)-Only configurations, iOS users are prompted to select an authentication certificate upon accessing the App Catalog. This authentication step is crucial for securing access to the listed apps and aligning with robust security practices.

M1 chipset MacBooks from Apple offer specialized support for iPhone and iPad VPP apps within [Your Software Product]. Notably, only administrators have the authority to push supported iPhone and iPad VPP apps, restricting users from installing them directly from the App.

For detailed implementation instructions and configuration options, please refer to the comprehensive documentation available in the in the Admin guide and resources below:

• Managing Apps

• App Catalog Settings

• Set up Apple Apps and Books

• Apps@Work Corporate App Store

• MacOS AppStore Restrictions

Managing Configurations

Configurations are collections of settings that you as an administrator send to devices. For example, you can use configurations to automatically set up VPN settings and passcode requirements on the devices. The existing configurations for your system are listed in the Configurations page. You can select multiple configurations from the Configurations page and push them to multiple devices at once. These configurations can be pushed to devices specific to spaces and the devices in other spaces remain unaffected. Configurations can be pushed to either a single space or multiple spaces or all spaces at a time.

Most configurations in Ivanti Neurons for MDM are common to all platforms. For more details on how to work with configurations see Working with Configurations.

Some configurations are supported only by specific Platforms. You can review the list by platform supported on Configuration Types

Managing Software Updates

You can start by setting up the Software Update configuration for your iOS and macOS devices.

When setting up a scheduled windows for the Software Update, the OS Update command will be pushed every hour to the device to make sure the update does not miss the window. As per Apple behavior every time the OS update command is received by the device a pop-up will notify the user to upgrade. User can defer up to three times. At the third time as per Apple behavior the Device will Force Upgrade.

MacOS devices have some specific rules that can be applied. See macOS Software Update Rules Configuration

OS Update Command for iOS

You can also send a one time command to update to one or more devices from the Device List or from the Device Page. See Schedule OS Update Command.

Setting up iOS/iPadOS Devices

The following configurations are supported for your iOS/iPadOS :

• iOS/iPadOS Restrictions

• eSIM configuration

  • Preserve Data Plan

• Mobile Network Configurations

• Enable Lost Mode

• Configuring an iOS MDM Profile

• Single App Mode

  • Autonomous Single App Mode

• Shared iPad for Business

• Education Configuration

• iOS Custom Configuration

• Lock Screen Message

Setting up watchOS Devices

You can now enroll Apple watchOS devices into Ivanti N-MDM while pairing with the iOS devices.

This feature currently supports: watchOS 10+.

The watchOS device management is not supported on Private Cloud.

ProcedureProcedure

1. You must enroll the iOS 17+ supervised device.

2. Assign the Apple Watch enrollment configuration to the iOS device.

3. You can now pair your Apple Watch to the iPhone.

You can pair the Apple Watch after pushing the Watch configuration to the iPhone. You cannot enable Remote Management for an Apple Watch if the Watch configuration is pushed to the iPhone after the Apple Watch pairs with it.

The following configurations are supported for your watchOS devices:

• Cellular_Configuration

• Certificate configuration

• Certificate Transparency

• Identity_Certificate_Configuration

• iOS Restrictions

• Passcode_Settings

• Per-App_VPN_Configuration

• Wi-Fi_Configuration

Supported device actions for watchOS Devices

The following device actions are supported for your watchOS devices:

• Clear passcode

• Lock Apple watch

• Wipe Apple watch

• Unenroll Apple watch from Ivanti Neurons for MDM

  Unenrolling paired iOS device will reset the watch and unpairs from the iOS device.

Setting up macOS Devices

The following configurations are supported for your macOS:

• macOS Restrictions

• Configuring macOS Devices

• Working with Scripts and the Mobile@Work Client

• Configuring a macOS MDM Profile

• Setting Firmware Password

• Enable FileVault

  • FileVault Recovery Key

  • FileVault Options Configuration

• Platform and Extensible SSO

• Active Directory macOS

• Firewall

• Ethernet

• Office 365 Account Creation

• macOS System Extensions

• Media Disk Burning Restrictions

• Privacy Settings

Setting up TvOS devices

The following configurations are supported for your tvOS:

• Apple TV Configuration

• Apple TV Restrictions

• Conference Room Display

• AirPlay Mirroring

Setting up visionOS Devices

You can now enroll Apple visionOS devices into Ivanti Neurons for MDM.

This feature currently supports: visionOS 1.1+

You can enroll visionOS devices using Account driven Device Enrollment or Account driven User Enrollment.

The following configurations are supported for your visionOS devices:

• CalDAV Configuration

• CardDAV Configuration

• Certificate configuration

• Certificate Revocation Checking Configuration

• Certificate Transparency

• Creating DNS Proxy Configuration

• Encrypted DNS

• Email Configuration

• Exchange Configuration

• Google Configuration

• Identity Certificate

• iOS Restrictions

• LDAP Configuration

• Managed Domains

• Network Relay Configuration

• Per-app VPN Configuration

• Single Sign-On Configuration

• Subscribed Calendar Configuration

• VPN Configuration

• Web Content Filter

• Wi-Fi Configuration

Supported device actions for visionOS Devices

The following device actions are supported for your visionOS devices:

• Wipe Apple Vision Pro

• Retire Apple Vision Pro

• Unlock Apple Vision Pro

Support for Declarative Device Management

Apple's Declarative Device Management is a modern management protocol that allows managed devices to proactively and autonomously apply their own management settings with less communication. Declarative Device Management is enabled on newly enrolled devices during enrollment or during check-in for already enrolled devices.

Declarative Device Management is automatically enabled on the following eligible devices:

• Computers with macOS 13 or later

• Devices with iOS 15 or iPadOS 15 or later

• Devices enrolled via User Enrollment support Declarative Device Management on iOS or iPadOS 16 or later.

• Apple TV devices with tvOS 16 or later

• Apple Watch devices with watchOS 10 or later

• Apple Vision Pro devices with visionOS 1.1 or later

Current supported Declarative Management Features:

• Status Channels:

  • Changes to the OS Version

  • Passcode compliance

  • Passcode present

• Configuration:

  • Declarative Management Configuration