-
Notifications
You must be signed in to change notification settings - Fork 941
Update what's new from WWDC 2026 w/ Fleet support + Apple IT summit #49440
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
679c759
857ad98
98b8335
e0424cc
7f4a4f4
bbb3417
5662366
3b02a71
35b526f
87d64b7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,11 +27,11 @@ Apple is raising the transport security floor for system processes involved in d | |
|
|
||
| New requirement: TLS 1.2 minimum with ATS-compliant cipher suites and certificates. If your MDM or management infrastructure falls short, things break in ways that aren't always obvious. Enrollment failures, profiles not installing, update commands silently failing. | ||
|
|
||
| Apple published [support article 126655 ("Prepare your network environment for stricter security requirements")](https://support.apple.com/en-us/126655) to help you audit. Run it against your MDM and any internal management endpoints now, not in September. | ||
| Apple published [support article 126655 ("Prepare your network environment for stricter security requirements")](https://support.apple.com/en-us/126655) to help you audit. Run it against your MDM and any internal management endpoints now, not in September. If you're using Fleet, you no action needed. Fleet meets the new requirements. | ||
|
|
||
| ## New and migrated declarative configurations | ||
|
|
||
| > Enable the [`mdm.allow_all_declarations` feature flag](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-allow-all-declarations) to deploy any device-scoped, configuration [declaration (DDM profile)](https://developer.apple.com/documentation/devicemanagement/devicemanagement-declarations) with Fleet. Assets and user-scoped declarations are [coming in Fleet 4.90](https://github.com/fleetdm/fleet/issues/38986). At the same time, Fleet will enable this feature flag out-of-the-box. | ||
| > Enable the [`mdm.allow_all_declarations` feature flag](https://fleetdm.com/docs/configuration/fleet-server-configuration#mdm-allow-all-declarations) to deploy any device-scoped, configuration [declaration (DDM profile)](https://developer.apple.com/documentation/devicemanagement/devicemanagement-declarations) with Fleet. Assets and user-scoped declarations are [coming in Fleet 4.90](https://github.com/fleetdm/fleet/issues/38986). At the same time, Fleet will enable this feature flag out-of-the-box. Custom activations are [coming in Fleet 4.91.0](https://github.com/fleetdm/fleet/issues/48222). | ||
|
|
||
| Apple keeps expanding what DDM can express. Here's what's new in OS 27. | ||
|
|
||
|
|
@@ -45,8 +45,6 @@ Notable controls: `AllowGenmoji`, `AllowImagePlayground`, `AllowWritingTools`, ` | |
|
|
||
| **Content caching (macOS 27):** The `com.apple.configuration.content-cache.settings` configuration replaces the `com.apple.AssetCache.managed` profile. New status items for cache info, parents, and peers. Custom HTTPS reporting endpoints are supported. If you run content caches, plan the migration. | ||
|
|
||
| **Configuration profiles as declarative assets:** Legacy profiles can be delivered as declarative assets via the new `ProfileAssetReference` key in `com.apple.configuration.legacy`. Integrity verification is built in. This is a useful bridge for teams partway through the DDM transition. | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI @kitzy I think we want to remove this because at the Apple IT summit in Cupertino we learned that the
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I'm good w/ removing it. |
||
|
|
||
| ## App management changes | ||
|
|
||
| **New unified app settings configuration:** `com.apple.configuration.app.settings` consolidates allowed and denied app management for iOS, iPadOS, tvOS, and visionOS. On macOS it adds binary-level control via Endpoint Security. A new `AlwaysAllowManagedApps` key preserves managed app access regardless of your allow-list configuration. | ||
|
|
@@ -95,9 +93,9 @@ A few things worth setting user expectations on: Siri AI requires a user waitlis | |
|
|
||
| If you're building your OS 27 response plan: | ||
|
|
||
| 1. Verify your MDM vendor's DDM software update support. This is the fire drill. Do it today. | ||
| 2. Audit TLS/ATS compliance across your MDM and management infrastructure using Apple's support article 126655. | ||
| 3. Migrate Intelligence, Siri, and keyboard restrictions to the new declarative configurations. | ||
| 1. Verify your MDM vendor's DDM software update support. This is the fire drill. Do it today. If you use Fleet, you're already set. | ||
| 2. Audit TLS/ATS compliance across your MDM and management infrastructure using Apple's support article 126655. If you use Fleet, you're already set. | ||
| 3. Migrate Intelligence, Siri, and keyboard restrictions to the new declarative configurations. Fleet already supports all declarations that are replacing deprecated v1 profiles (.mobileconfig). Assets and user-scoped declarations are [coming in Fleet 4.90](https://github.com/fleetdm/fleet/issues/38986). Custom activations are [coming in Fleet 4.91.0](https://github.com/fleetdm/fleet/issues/48222). | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
@MagnusHJensen is this true today? (pre 4.90) Do I have to turn on the feature flag? (mdm.allow_all_declarations) |
||
| 4. Plan the app management migration away from `com.apple.applicationaccess.new` on macOS. | ||
| 5. Update your re-enrollment runbooks to account for the backup restoration change. | ||
| 6. Start the Intel Mac refresh conversation if you haven't already. | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JordanMontgomery is this right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not quite. There's nothing needed for cloud hosted customers however self hosted customers could still need to make changes