When it comes to reasons to upgrade to iOS 16 it’s no surprise that most of the focus is on the consumer-friendly features of the new OS. But there are plenty of reasons for enterprise users to upgrade — including these productivity-enhancing tweaks.
Big improvements in SSO
Single sign-on (SSO) lets an employee sign into their managed device once to see it set up for use, including applications and services deployments. Like most simple things, it relies on a complex web of technologies first introduced with Sign in with Apple in 2019. Significant enhancements have been introduced in iOS 16, including support for user enrollment for iOS 16. You can enroll via an MDM provider or via a Managed Apple ID, depending on company deployment strategy.
In another nugget of good news for enterprise IT, Apple has introduced support for OAuth 2.0, which supports additional identity provision systems from third-party services. You can find out more about these enhancements here.
Sign in with Apple at Work & School
Apple introduced integration with Google Workspace earlier this year following previous support for Microsoft sync. Now it has gone further with Sign in with Apple at Work & School, which adds support for Managed Apple IDs to Sign in with Apple.
What that somewhat brand-name-heavy word jamboree means is that employees, educators, and students can sign in with their Managed Apple IDs, which essentially makes it way easier for businesses to distribute and manage employee apps. This also makes for highly efficient device deployments alongside SSO.
Managed Device Attestation
Announced at WWDC 2022, Managed Device Attestation helps prevent attackers from stealing a device’s TLS private keys, spoofing legitimate devices, or lying about a device’s properties. It relies on the Secure Enclave to secure communication between managed devices and services such as MDM. In use, it helps protect vulnerable endpoints and enterprise services against various forms of security compromises.
Declarative Device Management
Introduced last year and set to be extended to the Mac with macOS Ventura, Declarative Device Management makes managed devices more proactive and intelligent, which means MDM systems gather early warning signs in the event unauthorized changes are made to the device. In iOS 16, this extends to automated and profile-based device enrolments. Shared iPad support will also be introduced with iPad OS.
What’s better than weak passwords? No password
Apple is working to reduce the need for authorization. Its work to replace CAPTCHA technology with seamless authorization based around a device’s first login means passwords will become less important — though it does make it far more important to ensure the one master password you and your employees use is unique, rock solid, and highly secure. Apple has also introduced Passkeys, further accelerating a move toward a hopefully more secure password-free future.
Managed per-app networking
Apple is expanding the per-app managed networking capabilities it supports to include DNS proxies and web content filters for iOS 16 devices enrolled with User Enrollment. This helps ensure only network traffic initiated by managed apps travels through a corporate web content filter or DND proxy. This cleverly keeps your employees’ personal traffic separate and unfiltered, which means your business gets good protection over the data it cares about while your staff keep their private lives private.
Data separation in Calendar and Reminders
If you use Calendar and Reminder apps across your business, you need to know that in iOS 16 both apps support full data separation for devices enrolled with User Enrollment. It means that when a user signs in with their Managed Apple ID, the app will create a second database containing events and metadata that concern your organization’s calendars and reminders. This should help protect user privacy while protecting your business secrets. Another useful enhancement lets you use Filter Fields when sharing contact information from your device, which means you can share just the information that is required, rather than an entire contact card.
Lockdown Mode
While Apple says most of us will never need to use its new and highly secure “Lockdown Mode,” it does make sense for any business or business user to look at the protection it provides. It’s an approach to device security that makes complete sense to any company doing business in unstable regions, or any enterprise in which privacy and data security are paramount. Unfortunately, use of this mode vastly reduces the capabilities of your device. Among other limitations, Lockdown Mode curtails some web services, Messages content, and invitations; wired connections won’t work; and you cannot sign a device into MDM (though pre-existing enrollment is preserved). You enable the mode in Settings>Privacy & Security>Lockdown Mode.
Rapid Security Response
This is an important update for enterprise security. Apple has developed a new system to push security updates out to users swiftly. When Rapid Security Response is enabled, security patches can be automatically downloaded and/or installed as they are made available. Apple has also created two new APIs for MDM service providers, which enable IT admins to either enforce or prevent use of Rapid Security Response across their Apple device fleets.
[Also read: Jamf CIO: Apple will be the No. 1 enterprise endpoint by 2030]
Configurator gets better
If you are an Apple admin used to using Configurator to add devices to your Apple Business Manager (ABM) account as you enroll them to your chosen MDM service, you’ll be exultant that Apple now makes it possible to add Macs, iPads, and iPhones to ABM using a version of Configurator on your iPhone. This is going to save a good deal of time for many businesses who have had to use a wired connection on the Mac to support some devices until now.
A boom for small business
Apple has reached a deal with CloudFlare that lets users purchase email domains from within iCloud Settings. You can then use the custom domain as your email address, share email addresses based on your domain with others, and more in iOS 16.
Smart Card support
iOS 16 and iPadOS 16 support PIV Smart Cards and CCID-compliant readers, though admins will need to contact the developer of their CCID reader to verify that iOS is presently supported.
Making it easier to swap eSIMs
Given that Apple has made iPhone 14 eSIM-only in the US, another improvement that was slightly ignored on announcement now makes a lot of sense. You will be able to transfer eSims between iPhones using Bluetooth. To do so, just move your older iPhone close to your new one and follow the Set Up Cellular command dialog. We’ll see if Apple has gone far enough to make this a seamless transition.
Brand Indicators for Message Identification
Apple has adopted Brand Indicators for Message Identification (BIMI), a specification that enables use of brand-controlled logos within emails. It’s not perfect and the cost of exploiting it is such that most smaller enterprises will probably ignore it, but the move does add another layer of protection to help distinguish genuine corporate emails from spam.
iOS 16 compatibility guide
The following devices are compatible with iOS 16:
- iPhone 13
- Phone 13 Mini
- iPhone 13 Pro
- iPhone 13Pro Max
- iPhone 12
- iPhone 12 Mini
- iPhone 12 Pro
- iPhone 12 Pro Max
- iPhone 11
- iPhone 11 Pro
- iPhone 11 Pro Max
- iPhone XS
- iPhone XS Max
- iPhone XR
- iPhone X
- iPhone 8
- iPhone 8 Plus
- iPhone SE (2nd generation or later).
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.
Copyright © 2022 IDG Communications, Inc.
