Episode 334: What’s new at Apple with Jeremy Butcher

Please note that this transcript was generated automatically

Speaker 2 (00:01:18):
Hello and welcome to the Bins podcast. I’m your host, Tom Bridge and Marcus, it is coming up on springtime down there. You have to be coming out of the doldrums of winter. Yes.

Speaker 3 (00:01:29):
Yesterday. No, today it looks like it is. It’s not wet outside, but that’s how it is in Melbourne. Alright. Different things happening outside every hour.

Speaker 2 (00:01:42):
If you don’t like the weather, wait five minutes, it’d be different. That is very much the shoulder seasons here in Washington, although it is always sunny in California. I am told, or at least that is what the song sing. Jeremy Butcher, welcome back to that Mac Admins podcast.

Speaker 4 (00:01:56):
Thank you. Thank you. Glad to be here. It is sunny and very warm today. 93 or something like that.

Speaker 2 (00:02:03):
Oh geez, I

Speaker 4 (00:02:04):
Can’t convert. You guys are bacon now that super. Well, I’m going to say that’s mid thirties, mid thirties, mid to low thirties. Yeah. But yeah, it’s toasty today. We’re in a nice air conditioned room, so I can’t complain.

Speaker 2 (00:02:17):
Fantastic. Yeah, and we’re so glad that you could join us too. We always appreciate it when you do and we’re going to be talking a lot today about the Apple’s major releases as we head into the fall season, or excuse me, the WMA series.

Speaker 3 (00:02:32):
Yes, Tom, we have spoken about this. We’ll put a link in the show notes here in Australia. We’ve got many different indigenous regions and indigenous peoples that describe seasons in very different ways, and WMA me is the nose of the wet season with or bringing thunder late October, which is kind of what’s going on in the Mac admin community at the moment. Jeremy and the rest of Apple are bringing Thunder coming soon and we’re excited. Good. Good Thunder. Yes,

Speaker 2 (00:03:04):
Good thunder. Yeah, I was going to say, after Worldwide Developers Conference this year we got on and we had kind a debrief about everything that we heard about and I think that what we came to the conclusion of was that this was probably the most momentous occasion for certainly the most momentous W W D C in a decade and we’re thrilled that you could join us today. We want to kind of step through a bunch of changes that are coming with the release of new operating systems. And Marcus, I’m going to keep saying fall in my head. I’m going to try and grain that back

Speaker 4 (00:03:40):
In upcoming releases.

Speaker 2 (00:03:41):
We see how it goes. Upcoming releases. Exactly. That’s right. We

Speaker 3 (00:03:45):
Can’t even, sorry James that,

Speaker 2 (00:03:46):
But no, we can’t. I think we’re just going to have to dive right in and take it. But the first place that I want us to start talking about is probably the place where I’m the most excited, which is to say managed Apple IDs. And at first I have to do a little bit of a mea culpa. When I saw you last in the UK at Macka Duck, we had a bit of a show on stage right after your talk, not right after, but a couple hours later and we had all drawn the wrong conclusion and it really seems like Apple has put a huge amount into managed Apple IDs this year. Can you tell us more about how managed Apple IDs are changing with the upcoming releases?

Speaker 4 (00:04:27):
Of course. Was it all of you or was it that Charles was wrong and then you all just sort of agreed

Speaker 2 (00:04:33):
With him? Oh no, Charles and I were very definitely both

Speaker 4 (00:04:36):
Wrong. Okay. He was the first one to say something and I thought maybe he just soured the note for everybody else. No, so yeah, so tons of stuff coming from managed Apple IDs and the way that I would break it down is sort of three different chapters. The first is lots of new features. The big one is iCloud Key chain. iCloud Key chain becomes the access to a whole bunch of other features. As you may know already on your personal Apple id, if you don’t have iCloud key chain turned on, there’s a lot of things that you don’t get access to. And so having that support for managed Apple ID means that we are able to unlock a whole bunch. And one of those is Passkey, which we can talk about more in a moment, but just lots of new features to really update the set of things that you can do with the managed Apple ID when we created them back in 2016, lots of different services that Apple didn’t even exist and so this was our way of bringing that up to par and there are certain things that continue to not be supported on a managed Apple ID like purchases for example.

Speaker 4 (00:05:54):
We don’t think it makes a ton of sense for you to be able to buy something on an account that you don’t own because the thing that you then bought, you don’t actually own, but you might think you do. And so there’s things like that. Health is another good example. We’re not going to sync health data to managed Apple IDs, but we looked at everything else and said, does it make sense? Does it not make sense? And we brought a ton of stuff forward, so we’re super excited about new features. The way of the world that we live in chapter two is new restrictions because when you add a bunch of new features, you have to make sure that everybody’s okay with all of those new features. And so we built a bunch of access management controls that allow for an organization who wants certain things with their managed Apple ID population, but certain things to be turned off to do exactly that.

Speaker 4 (00:06:46):
And so all of those new things that we added, you can go in and make sure that at an account level you can turn ’em off. In addition to that, beyond just the knobs for let’s say reminders or notes or storage, we’ve added something else that allows you to control where the managed Apple ID can actually be signed in on a device. So are you okay with that managed account being signed in an unmanaged location like the web? Are you okay with it but only if the device is managed or do you really have more stringent requirements and you say, no, this device has to be supervised and managed in order for my managed data that is associated with this managed account to sign in. And so that’s the access management feature set. It’s really deep or super excited about it. It’s actually in beta right now in Apple School Manager and Apple Business Manager for anybody that wants to turn it on.

Speaker 4 (00:07:47):
And we think it’s a really nice compliment, like I said to all the features that we’ve added. The last one, which Tom you might say I saved the best for last is support for custom identity providers. So open Id Connect Skimm and the Shared Signals framework are this trio of technologies that we’re supporting that allow for us to know about an account, know about the directory information associated with an account, and also update things about the account. Should your password need to be changed or your account goes away, we need some sort of signal or status channel to do the right thing on our side. And so those are the three things. It’s more identity providers, more features, more control, but overall it’s a huge step forward for managed app id.

Speaker 2 (00:08:42):
And this feels like it’s almost as much an update not just to the core operating systems that we use every day, but to the management plane for those operating systems, which for a lot of things is Apple Business Manager and Apple School manager. It’s really exciting to see those controls evolve and change and managed Apple IDs get to be more powerful in that regard.

Speaker 4 (00:09:05):
Absolutely, yeah. We took an approach a while ago of having managed Apple, ID be something that was much more, Hey, it’s for this specific use case and if you like this specific use case, that’s great, but over time we started hearing more and more from customers that were like, oh, we want ’em to do this, we want ’em to do that, and we want to make sure that folks can do all of those things. So building these controls in means not only do we have the feature set, but we also have the controls that in case you want to be a little bit more customized, you can.

Speaker 2 (00:09:41):
And so for organizations that really want to take that next step towards federating, their managed Apple IDs with Open ID connect providers, you guys have partnered with Okta for the initial releases for this as we go into this release cycle and that will be available later this fall. Tom, you said it again.

Speaker 4 (00:10:02):
Yeah, wrong season. You did it again. You’re going to have to edit that out. No, so the functionality is really for everybody. We worked with Okta to make sure that all the different pieces made sense, but there’s no reason why anybody, maybe somebody could be right there at the same time as long as you support those different technologies because what we’re releasing, yeah, it’s fall or I’m not going to even try to say the name of the season, mess it up, but for Apple Business manager and Apple School manager on our side, that’s where that’s stuff’s going to show up pretty soon, but then it really just comes down to how quickly the identity provider community can do it. And Okta didn’t have access to anything special from a technology perspective other than they’ve known about it and they’ve been able to kind of start working on it. But at this point, if you already support those technologies or identity providers should be ready to go to,

Speaker 2 (00:11:06):
Fantastic. And we’ve been looking at it at JumpCloud since we started to talk about this and it’s really exciting to see the Shared Signals framework get some love out there in the community. It’s not a fully ratified standard yet, and so it’s this conglomeration of publication subscription technologies bub sub, which allow you to kind of subscribe to each other’s activities, which is really, really exciting to secure those Apple IDs for the future. So really, really excited to see how that builds out and hopefully can get that push forward.

Speaker 4 (00:11:46):
Yeah, it was really one of the final missing pieces if we would’ve talked about this and we could tell you we were working on years ago, it would’ve been a completely different technology because they were kind of, as you said, lots of different options on the table and it sort of solidified enough that we felt like we could go forward with S SS F, which I think at one point was called SS s e, and so I have to correct myself in my head every time I talk about it, but no, yeah, we’re excited that all those pieces are put in place at this point.

Speaker 3 (00:12:20):
The part of that that I’m really excited about is that especially using a standard like O I D C is there’s really not going to be a barrier for any organization that’s using modern identity to be able to use this where there’s been so many perceived barriers to managed Apple IDs, whether it be functionality or identity federation, seeing all of those with these announcements effectively disappear means that it’s really just self-imposed resourcing restrictions getting in the way of organizations and with this functionality and some of the other things that are coming in, my feeling is even if you are not planning to use this functionality right away, you should probably start planning Federation as soon as possible so that you are ready for when you all of a sudden do want to start using this functionality.

Speaker 4 (00:13:17):
Yeah, just on that, it’s a good point. There’s two things I’d say. One is there’s probably somebody at Apple right now working on something that you’re going to want to use and odds are it’s going to need an Apple id and so that’s why we’re investing so heavily in this is it allows us to ride the wave of all the cool things that people are doing around Apple that they’re just assuming you’re going to have an Apple ID and great, now you can because we have a managed account that has all the right pieces in place. And so then Marcus, to your point, even if you don’t want to give them out to all your people right now, federate, lock down your domain, protect your name space, do all of that prep work when it’s sort of like you said there isn’t somebody saying, I need this tomorrow, and then when you’re ready you can hand out the managed IDs that already exist and everybody’s happy, but it allows you to break the pieces up in a way where it’s not as stressful of a rollout because like I said, some executive has come to you and said, I want use feature X and I need a managed ID in order to do it.

Speaker 3 (00:14:27):
And Emily, you can probably discuss that one doesn’t simply federate managed Apple id.

Speaker 2 (00:14:34):
I was going to say we got set up nicely there for Emily to tell us everything she has learned about how to federate with Apple id.

Speaker 5 (00:14:41):
I will plug my session at this year’s Jamf Nasia user conference called How we B at jamf slash how we BD at Jam. Nice. Where our senior identity and access management administrator Mitch Francis is going to talk about what it looks like to federate Apple business manager with Azure and have Okta kind of in the middle as an SS s O provider in front of Azure, which is how we have our set up. Kind of to Jeremy’s point a little bit, I think there’s, this is going to be a strong word, a false equivalency between all of these features that are enabled with a managed Apple ID and federation. You can create managed Apple IDs that use this functionality without being federated is just a manual process of creating all of those Apple IDs yourself. The beauty of federation is you’ve got that unified experience with the identities that your employees use. That’s the, from an IT professional’s perspective, why you’d want it because it makes the overhead a little easier to handle, but you can go in, verify a domain, create managed Apple IDs, have some of this functionality available to you before federating, especially if you want to wait for an I D P to be ready to plug into Apple business manager or school manager once we’ve got that functionality available to us in public release.

Speaker 5 (00:16:10):
But again, if you want to hear more about that, come check on our session. There’s also, I get the sense that people feel that it’s a bit amorphous. It’s really not. The platform deployment guide has a lot of details. There are great user facing KBS on the Apple support portal about what happens when an organization claims an Apple ID using a domain and what to look for and a lot of it is very well documented so you don’t feel like you have to go in not knowing what that experience is going to look like. There is a lot of good documentation out there. I just think what’s really exciting about what’s coming is that I think it’ll be easier for organizations to on-ramp into the federation piece and then you’ve got that consistent login experience that your employees know and trust as their single identity for not only the tools, the services and features and SaaS products that your organization uses for day-to-day operations, but also the Apple services that you’re using and the experiences that the new functionality for Managed App Ladies is going to unlock. So again, come to our Jam Nation user conference session. We’re going to talk about it in depth. We’ll also have a brain date where you can come by and talk to my team about our experience doing that

Speaker 3 (00:17:28):
Stuff. So is Mitch looking forward to now that the initial federation, which at that point may have seemed like the Ultimate Federation was completed now going Azure, Okta, apple Business Manager looking at going directly Okta Apple business manager

Speaker 4 (00:17:49):
Once that’s available,

Speaker 5 (00:17:51):
I don’t want to speculate too much on his behalf. We feel like we are very fortunate in that we have access to multiple business and school manager portals through acquisitions, through our partnership with Apple and testing and development that we do have a QA environment that’s federated with a test domain and we actually have other folks in other parts of the company that have this set up as well, so we can actually go through and see what does it look like to change the I D P behind the federation? Does that impact, we don’t really know yet. We’ve already contacted our Apple team and said, Hey, once we can plug into this, we’d like to, so we can do some testing and once it’s available for us to test, we will, and I’m sure you’ll hear about it from Jamf F’s perspective about what that process is like.

Speaker 5 (00:18:35):
We’re just not really sure yet. I would hope the impact would be minimal. I don’t think there are a ton of organizations that have gone through the links that we have gone through with this quite yet because we want to go through what this is like so that we can talk about it to customers and enable them with the knowledge that we’ve gathered from our experience to make it a little easier to path the jam sessions and the webinars and whatever else to make it easier. I will say that the reason that we did it was for account driven use enrollment for iOS, for personal devices, our B Y O program and it is hugely successful internally at Jamf. We have much more adoption of the B Y O program now than we ever did with what we consider the deprecated personal device profile enrollment for personal devices and just the user privacy is so much better. Our management server, I don’t want to see any of your personal apps or data or whatever on your I don’t

Speaker 2 (00:19:41):
We want no part of that. I mean that’s exactly right.

Speaker 5 (00:19:43):
Yeah, it’s really from my experience, it’s kind of a slam dunk if you care about user privacy and data loss prevention and the other things you can do in combination of what’s built into the user enrollment spec and what you can do with a management framework on top of that copy paste restrictions and some of those other things that you can implement really feel like you’ve got a work phone in your personal phone and they are just separate things,

Speaker 2 (00:20:10):
Very different places,

Speaker 5 (00:20:11):
Very different things. Yeah, I

Speaker 4 (00:20:13):
Think user enrollment is going to benefit maybe the most, I’d have to think about whether I would say the most, but absolutely at the top of the list from the improvements of managed Apple IDs, we’ve had tons of folks come to us over the last two years as we’ve had user enrollment and say, we really want to do this, we really want to do it. We’ve looked at it, we’ve tried it. We have this one managed Apple ID thing that we need you to do. We have this other managed Apple ID thing we’ve needed you to do. And I think this year, I mean for all of the folks that I’ve chatted with over those years, we’re kind of checking the box on the pieces that they’ve been asking for, so it’s exciting to see.

Speaker 5 (00:20:54):
Yeah, and I think y’all talked a bit about iCloud key chain before I hopped on a bit mid flow, but there was Ferraro and implementation pretty early on, a little confusion around folks who would just sign in with their primary Apple ID being their federated one and then losing some of those consumer features that an iCloud key chain provides. So the fact that that first signed in Apple id if it happens to be a federated managed Apple ID will get those consumer features is going to be very helpful for those enrollment situations, which is cool too. That was a big one for us. We’re very excited about that and I will say that I’m not going to talk any specifics obviously, but we’ve been filing a lot of feedback over the last year and a half or so that we’ve had a B Y O program and Apple’s been very receptive to our feedback. They’ve been working on ways to implement at least parts of what we’re asking for and ways that make sense for their own, what I perceive as their vision for managed Apple ease going into the future, which has been good too.

Speaker 2 (00:22:00):
So the way in which this is going to work for B Y O environments is very, very interesting because you’re going to have in a lot of cases a primary managed Apple ID that is personal and a user enrolled Apple ID that is managed and the first one of those that enrolls ends up with an iCloud key chain. Does that sound about right?

Speaker 4 (00:22:23):
Yeah, so let’s dive into that a little bit. You get to a state with both user enrollment and account driven device enrollment, which we should circle back on in a second. Yes, but either way you end up with your personal account in, we’ll just call it the primary location, which is the one that if you’re looking at your phone right now, it’s odds are it’s that top spot in settings and then you’ll end up with a second account, which is your managed account just in a nice little row right below that and whichever account is in that primary top slot has the full set of functionality and then in the secondary location, which is the managed location, you get a subset of that and that’s sort of the next frontier so to speak. That’s what we’ve been chipping away at each year. When we started with user enrollment in 2019, it was I think just notes and then we added files and so you had two notes accounts, then two files accounts, then we added reminders.

Speaker 4 (00:23:38):
This year we added support for sign in with Apple for both accounts, but we do not yet have support for key chain for both accounts simultaneously and a couple of other things as well. But as we think about the vision for it, the way that we want to approach this, obviously we want folks to have all the things and we’ve been chipping away, like I said, at as many of those as we can in any given year so that folks have all the features that they’d expect as though the device was signed in with that account in that primary slot at the top, which you can still get with an education. This is kind of the common use case where it’s one and only account signed in. If you have a dedicated device for work, it’s going to be the one and only managed Apple id and in that case, yeah, iCloud key chain all day, all the different things that we are talking about getting added in also work in that context, which is a lot of folks as well. And so it’s a slightly different story depending on whether or not you’re going down the multi account path or a single account. Awesome. Yep.

Speaker 3 (00:24:44):
This reminds me a lot of, especially with account driven user enrollment coming to Mac OSS as well with people, I think back to the false equivalency that Emily was talking about before where organizations thinking that they can use B Y O D Max to onboard, for example, developers with their own machine to avoid having to pay for a machine for the developer, and this is going to be great for allowing people to have access to certain functionality and certain features and certain systems, but I think going down deep in those sorts of differences and the actual functionality of account driven user enrollment to understand whether maybe that is going to provide the security and user experience that you were hoping for, and that’s where to Emily’s point about the documentation in the platform deployment guide, reading through that and understanding if what you think is going to happen is expressed in a way that makes sense in that guide and testing it to see is this giving you what you want when it comes to things like key chains, containerization of applications, which things are containerized, which things are not containerized is really important to understand when you’re designing your deployment model around these new functionalities.

Speaker 5 (00:26:14):
Yeah. I will interject a little bit because I mean tactically user initiated enrollment can do those things. It can allow other non-institutional MAC OSS devices, if you want to think about it that way, to enroll into a management server if you have things set up that way, right? Ideally you get close to that B Y O model that we get through account driven user enrollment on iOS where your management framework, I’m not going to throw anybody under the bus here supports app config for Mac oss, which is a thing, but I don’t know if anyone’s actually implemented it yet. So that you have that just in time application of settings alongside an application in a work partition created on the device, which can happen right now on Mac OSS through A P F ss. It’s just not something that a lot of vendors have really implemented yet. What the account driven device enrollment stuff adds to MAC OSS is that you see the secondary managed Apple ID in settings and some of those things that kind of mimic that iOS behavior, but honestly I think a lot of it is Apple’s provided the framework, the management solutions out there need to implement more of it to make it viable for their organizations. For organizations, their customers. I say they’re organizations. I work at an M D M vendor, so to me they’re weren’t the same, but

Speaker 4 (00:27:41):
I think for us in that space, account driven, whether it’s a device enrollment or a user enrollment is a huge step forward in user experience and we’ve created a handful of different enrollment methods over the years. We found the one we really like and now it’s about bringing that to as many places as fast as possible. And so you look at where we will be when these operating systems ship across iPhone, iPad, and Mac, whether you want to do B Y O D with user enrollment or you want to do an institutionally owned device with the device enrollment, all you have to do is tell your user, take this account. That by the way is probably federated, although I agree with you, it doesn’t have to be. I was just told so many times we won’t do this unless we can federate that. I sometimes block it out exactly,

Speaker 4 (00:28:37):
But it’s probably federated. So it’s take this account that you already know and love, sign in settings and everything’s going to be fine and you don’t have to worry about who owns what. Obviously it will have thought through all of those pieces to Marcus’s point, but we think consistency, so from a developer perspective, if you’re an M D M, it’s like Great Apple’s created a lot of flavors now they’ve picked the one that I’m going to invest really heavily in. So to your point, Emily, great now’s the time to do that because loud and clear, this is the one. And then from a user experience benefit, being able to go in both as an IT person but also as an M D M developer and say, Hey, we have this really cool way to do this. Everybody can get on board. So that’s the account driven device enrollment, user enrollment story across platforms. For us this year, it’s all about consistency and a great user experience.

Speaker 2 (00:29:33):
I think the thing that has attracted me so much to the account driven device management routine here, that process of signing in with your managed Apple ID and that’s all you need to do, your MDM is going to handle the rest of that for you, is that it almost provides an automated device enrollment like experience for the parts of the world where that just isn’t available yet. Yeah,

Speaker 4 (00:29:57):
I mean it also provides a very consumer grade experience in all the best ways. This is what they already did, especially if it’s B Y O D, it’s what they did when they signed in with their iCloud account to set up their iPhone. It’s just another account. What’s the odds on them remembering their corporate credentials more than their personal account password? Do you think they’re going to know their active directory backed account more than their personal iCloud account password or is that just their friends and family that have to remember it

Speaker 3 (00:30:31):
Exactly. The workflows to do this signing on as well have been well thought out and well-built by Apple, so they’re intuitive for the end user. So not having to provide the 16 page P D F showing someone how to enroll their device or a link to a self-created video that maybe doesn’t get updated as often as the workflows you’ve created get updated, but just pointing to something and it just works, takes a lot of stress out of IT departments, especially small IT departments, trying to keep all of these pieces working together makes it a lot easier.

Speaker 4 (00:31:16):
Yeah, I mean the more that it’s Apple built system ui, the more it becomes product documentation as opposed to IT help desk documentation that has to be created and updated.

Speaker 2 (00:31:28):
Absolutely. One of the things that we glossed over in the midst of all of this is passkey and that passkey are now very viable solutions for creating identities within managed Apple IDs. How should we be thinking about the flexibility of passkey in this year’s releases?

Speaker 4 (00:31:52):
To me just and now you can do it too. I mean it is all the great things that we’ve said about Passkey. Even before we had the support for managed accounts, everybody was asking, oh, we’re trying to do this thing for passkey at work or for school, and we’d be like, well, just remember it works with personal accounts but not with a managed account yet. And so it was, yeah, absolutely go invest in that. If you’re an app developer support pass keys, you can do that now in terms of rolling out pass keys to your employees. For example though, it was sort of like, well, you’re going to have to wait a little bit. And so now it’s just go watch the last couple of years of passkey videos and just know this time around it all applies to because your managed Apple ID has iCloud key chain, which means it can have passkey. That’s a really simple story is this is one of those huge benefits of the iCloud key chain work is that this I would argue, revolutionary new way of doing things is now available really overnight.

Speaker 1 (00:32:59):
This week’s episode of the Mac Admins podcast is also brought to you by Collide. Our sponsor, collide has some big news. If you are an Okta user, they can get your entire fleet to a hundred percent compliance. How if a device isn’t compliant, the user can’t log into your cloud apps until they’ve fixed the problem. It’s that simple. Collide patches one of the major holes in zero trust architecture device compliance without collide. It struggles to solve basic problems like keeping everyone’s OSS and browser up to date. Unsecured devices are logging into your company’s apps because there’s nothing to stop them. Collide is the only device trust solution that enforces compliance as part of authentication and it’s built to work seamlessly with Okta. The moment collides agent detects a problem, it alerts the user and gives them instructions to fix it. If they don’t fix the problem within a set time, they’re blocked. Collides method means fewer support tickets, less frustration, and most importantly, a hundred percent fleet compliance. Visit collide.com/mac admins podcast to learn more or book a demo. That’s K O L I d.com/mac admins podcast. Thanks to collide for sponsoring this episode of the Mac Admins podcast.

Speaker 2 (00:34:26):
Let’s turn the corner here and talk a little bit about declarative device management and software update. Yeah, this was the other music to the years of maced men’s everywhere, a piece of the keynote this year as well as all of the follow-on sessions. This is a big change for a lot of organizations. How should maced men’s approach the concept of software update in declarative management?

Speaker 4 (00:34:53):
So before we dive into the software update piece of this, this is sort of the year that declarative doesn’t get its own special call out. It’s not a unique, here’s the advancements in D D M this year. It’s now the way that you do things. And so this is the perfect example of this new feature is possible because of D D M and it’s better because of D D M. And so it’s a little bit of starting in reverse because, but it’s just a great example of how D D M makes this better. The status channel of declarative plus what we’re doing with software update means that you can know with pretty great granularity around what’s the state of the device as it’s going through the software update process in a way that just otherwise with what we would call V one of the M D M protocol just really wouldn’t have been possible.

Speaker 4 (00:36:01):
And if it was, it was going to be super chatty and a lot of back and forth between the device and the M D M server. So that’s one thing that’s exciting about the D D M tie in, but just in terms of functionality, super excited to bring really the most requested piece of software update management, which is I want it to be on this version by this date to the protocol. The team went to great lengths to make this a really great experience, and I hope that folks see that and hopefully the folks that are benefiting from it as end users will never need to see it or appreciate it, but just know that there was a lot there. So things like local time, so if you want to set it to be done on a certain time in a certain place and you have people around the world, it’s going to happen at five o’clock wherever they are, not at five o’clock where you are, but at 9:00 AM right when they started their day where they are, and then just the amount of effort that went into the number of notifications, the UI of the notification so that the user’s never surprised, never in the middle of an important task, and this thing just all of a sudden quits everything on them.

Speaker 4 (00:37:28):
There’s a lot of new UI that goes in across iPhone, iPad and Mac to make this a really great experience for the end user.

Speaker 2 (00:37:37):
And this is an experience that has some, I think the best way to phrase it is it’s got some experience around it for the end user in those regards. When you get a deadline, it’s not just, Hey, the deadline’s here, we’re going to tell you, we’re going to tell you again. We’re going to tell you a third time. We’re going to tell you a lot more times than that. I was going to say in the 72 hours leading up to the deadline, there’s a whole series of alerts that come out to individual end users at that

Speaker 4 (00:38:05):
Point and they break through do not disturb, which is great. All the right things in terms of, like I said, not surprising anybody that was really the principle behind this once. It was sort of like, okay, the feature set, we’re going to go tackle the thing that everybody’s been asking for. That’s great, but now let’s do it in a way that is really a great end user experience. And I’ll say from a product perspective, kind of building this stuff, it’s really fun when there is a lot more of that user experience to think it’s always great when we can add a bunch of configurations and things like that that don’t have a lot of ui, but have a big impact to the community. But to be able to have something that has much more of a end user impact and think through all those pieces, it makes it harder, but quite a bit more rewarding. So the team did, like I said, really cool work there.

Speaker 3 (00:38:59):
Something where there was maybe a little bit more psychology than engineering required to get this right.

Speaker 4 (00:39:09):
I mean a little bit, like I said, it was, I think, I don’t know if some of the people that were driving this, maybe this had happened to them where it was like I was giving a presentation once and my computer rebooted, but that’s just not something we wanted to do. And there are ways that this could have been done and much more bluntly, I guess I would say that would’ve been a little bit easier, but it was, like I said, it was fun to go a little bit deeper than we did.

Speaker 5 (00:39:43):
At a certain point you say, is this a technology challenge

Speaker 5 (00:39:51):
Or is this a person challenge? At the end of the day, most of us are doing this to help people use their technology, and you have to acknowledge that people are on the other end of the technology doing things and doing things for your organization and you don’t want to blow up their day. So yeah, the psychology, getting into the mindset of an end user who I always go in optimistically thinking, they’re not against updating their device, what they get frustrated by is being interrupted or being impeded to do their jobs. So this is a way to balance those things, which is

Speaker 3 (00:40:35):
Great. The update deadline isn’t the only deadline they’re dealing with when you are pushing it out.

Speaker 5 (00:40:41):
Exactly.

Speaker 4 (00:40:41):
That’s why it’s fun to be able to tie into some of these other things that we’ve built like install tonight and all these other things. So if you say not now and you’ve got a little bit of time, we can be opportunistic about doing it in a way that’s not going to disrupt you at all. You’re just going to lift up your lid the next day and it’s going to be done. And so it allows us to bring all the different pieces of the operating system that are at our disposal in solving the problem.

Speaker 2 (00:41:08):
So one of the other interesting things that’s new this year is service management, and you’re going to be able to manage key services via configuration in declarative, and it would be valuable to talk about how this helps folks.

Speaker 4 (00:41:23):
Yeah, no, there’s a ton of great stuff. So this is one of these things where we looked at the way that folks were doing this and it was basically because the protocol couldn’t do it. You would use either your M D M agent or you’d come up with some other tool that would allow you to push these things out, these configuration files down to the device, but then because of where they got installed, you’d just sit there and stare at ’em and see if they changed and if they changed, he’s like, oh, get the agent to change it back. And so there was this heavy burden on M D M developers, maybe a little bit of a burden on the system itself and just keeping an eye on all of this. And so by building another protocol, we can put it in this immutable location where somebody can’t go in and fiddle with it, and so therefore you don’t have to be looking for changes that what got pushed down stayed there.

Speaker 4 (00:42:23):
And we think it’s one of these things that allows for quite advanced and deep configuration that we know is happening on our systems to be done in a way that just becomes a lot more simple to manage, even if it’s sort of a hidden management that was happening, like, oh, you built it into the agent and it just did its thing, but it’s still, somebody’s got to maintain that agent and make sure it’s doing all the right stuff. And so that’s what this is all about for us is like I said, all that advanced stuff that folks do. And there’s a really incredibly deep, I mean, I remember having a conversation with gen folks many years ago about all of the depth that goes into all of that work. And so I know government folks are excited about it too. They use a lot of this as well. Being able to, like I said, have that in a way that just the protocol handles a lot more of it than it used to.

Speaker 3 (00:43:18):
And it also makes it so much easier for organizations going through the admin or standard user conundrum as well, where so many of the things people require admin rights for are actually ultimately fairly benign from a security point of view, much like the software updates, allowing people to do their actual job that they’ve been employed to do, whereas the reasons organizations are not wanting them to be an administrator are for things like this. And I love the fact that you use the word immutable, they’re controllable by the M D M, and it doesn’t matter if you’re an admin user, it’s going to stay configured this way and you can try as much as you want to bypass this and you’re not able to. So this is really exciting.

Speaker 5 (00:44:07):
Watch OSS Management was another announcement that we got this year coming for watches that are paired with what institutional phones and the ability to pass down management to the watches and deploy to it. So there’s been a lot of interest in this from different types of organizations who use watches for their and provide them to employees. There’s been a lot of interesting projections around what that might look like for an organization and how they would leverage it. How would you recommend that people approach this new concept of device management for a watch? Maybe when the exec comes and says, Hey, it watch management, awesome, let’s do it. What do you want to share?

Speaker 4 (00:44:59):
It’s actually more straightforward than I think everybody might assume. I over the last few years as watch has continued to get more capable, adding new sensors, new capabilities, customers have started using it more and more at work. In some cases it’s sort of like a health and safety related thing. Hey, you’re climbing up on an electrical pole and fall detection would be really great to have information about. Or you’re going out into the field and you’re dealing with customers who maybe aren’t always thrilled to see you. You might have bad news. How can we use this as a way for you to actually check in a little bit more easily, more hands-free in a way that you’re not going to just leave in your truck when you get out to go knock on somebody’s door? And lots of other stuff like that where in some cases people are going beyond the built-in functionality and building a custom app that has an experience that drives some of these use cases.

Speaker 4 (00:46:08):
So that’s been happening for the last few years. And they came to us and they said, Hey, it’d be really great if we had ways to manage these things that we’re using. It would be really great for this standalone watch app if we had a way to install it on the device. By the way, that app needs to get access to our backend resources that are behind the firewall. So could we have V P N? And so that’s really what the support does. It lets you manage a watch that is paired with a managed phone. So you do it right when you’re pairing the watch to the phone, there’s a declaration going back to the whole D D M fund where you push it down to the phone that says, when a watch comes along, I want to manage that too. Then the phone and the watch becomes supervised and managed.

Speaker 4 (00:46:58):
You can do all the things that you’d expect in terms of managing that watch, including, like I said, pushing apps that might not have an iPhone companion to them because you built them just for the use case that you had in mind. And so it’s not about I want to take lots and lots of watches and pair ’em with a single phone is I have a person who has a phone, they have a watch that I gave them both of, and we have a use case that allows for hands-free to happen with the watch. They use the phone for what the phone does, and we think it’s a good step in the direction of expanding what watch can do.

Speaker 2 (00:47:40):
That’s really exciting. And I think that there’s a lot of use cases that are going to be discovered over the next few years as we start to get these into management as we start to really explore, kind of probe that front and see how that functions outside of the labs. So that’s going to be fun. We’re going to be keeping our eyes on that one. And if your organization is very interested in managing watches and you’re listening to this podcast, reach out. We’d love to talk with you because we’d love to highlight those kind of stories as we go into the future.

Speaker 4 (00:48:13):
It’s one of these things where you need a handful of customers to sort of take the leap and they prove it out. And then when I think when we bring something like device management to the watch, somebody who would’ve otherwise thought like, well, I can’t even go explore that use case. I can’t manage this thing. Now that barrier’s gone. So it’s a good momentum builder in a lot of ways. It’s definitely early. I agree, Tom, we’re going to see lots of cool stuff come down from this, but it’s exciting to add another platform to the management family

Speaker 3 (00:48:49):
Also for developers who are wanting to do things in a way that would not make sense when it’s a personal phone and a personal watch that they’re trying to do. There’s very much organizational management actually giving those app developers the frameworks to do it and to build their apps around it. So hey, if you’re an app developer that’s got some great ideas about what you could do with this, reach out. We’d love to hear what you are trying to do as well. So one of the other things that we saw in dub dub this year because there’s no more profile manager for us to talk about and get excited about functionality with was configurator. So configurator got access to shortcuts. So that’s an exciting development with some automation, some additional automation there for configurator. What sort of things should we be looking to do with these automations?

Speaker 4 (00:49:44):
What shouldn’t you be looking to do? That’s the question. That’s the beauty of shortcuts. I say that joking, but also quite serious. What’s exciting about Configurator coming to shortcuts is shortcuts can already do so much. And some of the things that we’ve played around with as we were building out the configurator specific components of this are taking those, adding them to some of the quite advanced things that shortcuts can already do as part of the workflow. So it’s, Hey, start with this oriented action, but then go over here to this website or this server and get access to certain information from the server. Come back with the answer to whatever you got from that server and take it to the next step of the process. And you can build some quite advanced workflows, especially in shift based work where we see configurator quite popular. We’ve made configurator really easy to use, which means that it’s tougher to do some of these more advanced things.

Speaker 4 (00:50:59):
And so this allows us to kind of open up that door to the more advanced things that you might want to be more automated, where it’s somebody ends their shifts, they connect back to that system, the action runs, and it’s ready for the next person in a way that really can only be done locally through a tether as opposed to another way where you could do that via M D M or maybe you tap into M D M at the same time. There’s just lots of flexibility when you start to, like I said, bring in everything else that shortcuts can do.

Speaker 3 (00:51:32):
So giving that granularity to that sort of bulk refresh and deployment where, for example, somebody can be assigned a shift and rather than needing to go and something swipe the cart when they start their shift to know which device they get. They may already be getting told when they’ve signed in that go grab device number 12, that’s the one that’s already been provisioned and set up. Maybe the walk from where they signed in to where the devices are is enough to actually do some of that provisioning. These are the sorts of things. I’ve been looking at this and thinking about all of the things that were currently challenges and problems to solve, and just realizing there’s a whole bunch of ways you can solve these problems by getting that granularity and automation into what seems like a fairly simple tool and configurated, but it’s actually got quite a lot of power underneath it and what we can do with it. So a lot of these services that configurator is going to be talking to probably have secrets. So how should we be protecting those secrets and handling that authentication when we’re using shortcuts?

Speaker 4 (00:52:51):
I mean, to me, this falls into the bucket of however you’re doing it today, that’s not the new part here. So don’t think about it as something of, oh, it’s a configurator specific answer. It’s just what would you do? What are the right best practices for getting access to information to protecting secrets, et cetera. And really what’s new is really specific features of Configurator can now be taken as individual components and used in a shortcuts workflow. That’s really the kind of distinction between the new and the already existing. And so in the already existing bucket, it’s like well-documented set of best practices around what they should do there. And I would continue to do those same things.

Speaker 3 (00:53:40):
So if you are somebody who uses configurator or is wanting to use configurator who hasn’t been looking at shortcuts, this is probably a sign that this is something you want to get familiar with and understand how they work and what’s out there for shortcuts.

Speaker 4 (00:53:54):
For sure. I

Speaker 5 (00:53:55):
Like the idea of maybe I’m the only person that likes this idea. I don’t know. I’ve been playing around a lot with widgets in the Sonoma beta widgets on the desktop, building out configurator workflows with shortcuts, throwing it in a widget on your desktop and just being able to click it or something that I’ve blogged about. When you at Create shortcuts, you actually have an app bundle and you can run an app bundle through a button on a stream deck or another. You can just click a button, do things. Love that. That’s super exciting stuff. The dream of getting to Sal Sian level automation around Mac OSS stuff comes from shortcuts now, right? Like what we can do to really smooth a lot of those workflows out through this

Speaker 2 (00:54:51):
Functionality. In fact that we have both widgets that are interactive on our desktops now, which is really, really exciting. I mean, I may or may not have built one using Jump Cloud’s, a P I to just lock a machine. And if you had a specific machine that maybe has a tendency to walk away, like the MacBook Air on my desk when my son comes home, Ben beats me home from school and then starts playing with it and there’s no, Nope. Wait, that one, that one’s one’s the test machine. Okay, he can go back to his other MacBook. But those are the kinds of things that you can really kind of build some interesting and new experiences with Configurator.

Speaker 3 (00:55:28):
So is yucky brand Eunuchs scripts maybe going to have to pivot into yucky brand shortcuts and widgets. Tom?

Speaker 2 (00:55:36):
Oh man, I’m going to have to buy so many extra domains for Yucky brand. It’s going to be really rough, but

Speaker 5 (00:55:40):
You’re really good at prioritizing things now. So it’ll be fine. It’ll be great.

Speaker 2 (00:55:44):
I’ve learned a lot. I have learned a lot, and I think Yucky brand has a bright future and we’ll get there.

Speaker 2 (00:55:54):
Here at the Mac Admins podcast, we want to say a special thank you to all of our Patreon backers. The following people are to be recognized for their incredible generosity. S Stu Bacca. Thank you, Adam Selby. Thank you. Nate Walk. Thank you. Michael S thank you, Rick Goody. Thank you Mike Boylan. You know it. Thank you. Melvin Vives. Thank you. Bill Stites. Thank you. Anush Ville. Thank you. Jeffrey Compton, m Marsh, Stu McDonald, Hamlin Cruin, Adam Berg. Thank you. AJ Reka. Thank you. James Traci, Tim Perfi of two Canoes. Thank you, Nate Sinal, will O’Neill, Seb Nash, the folks at Command Control Power, Steven Weinstein, chat, Swarthout, Daniel McLaughlin, Justin Holt, will Smith and Weldon Dodd. Thank you all so much and remember that you can back us if you just head out to patreon.com/mac ADM podcast. Thanks everybody. So we just talked a little bit about shortcuts and for our bonus question today, I think it’s fun for us all to talk a little bit about how we do things with shortcuts internally. What’s something that each of you have done with a shortcut that you’re proud of or excited by, or thought was a little bit nerdy or thought that might’ve just stretched you a little bit more than you would’ve expected? And Marcus, I’ll pick on you first. Does that seem reasonable? Yeah,

Speaker 3 (00:57:15):
Why not? Haven’t had a lot to do with shortcuts, but the one that I played around with was the cat is not able to trigger the motion sensors on the camera we’ve got in the living room for while we’re away. And so a shortcut change the settings of that camera so it’s streaming so we can see, oh yes, the cat is just sleeping on the couch, what they do, and then back off to motion detection. So that was my exciting functionality that was like, yeah, wow, this works. This would’ve been, I dunno if there would’ve been a way, unless I started getting into really scary APIs to be able to do that otherwise. But yeah, that was me. What about you, Emily?

Speaker 5 (00:58:07):
I know I mentioned before, I blogged about this a little bit. I’m not the first person to do this either, but I use a stream deck on my desk with the button, clicky button. I’m a very clicky button kind of person, and so I created some shortcuts for, I have a, hello, I have a goodbye for the end of the day, my hello will, open Outlook, open Slack, turn on my nano leaf panels on my wall, start playing some music, get me ready for my day. And all that’s tied. It’s a combination of plugins for the stream deck and then some shortcut automation that I’ve built and I can trigger by just opening the shortcut bundle that’s created when you build those workflows. And then the goodbye one is like the opposite side of it, right? Turns off the lights, turns off the music closes applications, locks my screen for me to just make it really easy to hop in and out throughout the day. I also have what I call a Zoom prep. It’ll open zoom, it’ll pause music, it’ll minimize some windows. It’ll make sure my camera’s on, it’ll turn my nano leaf panels to a color that I need to get better lighting for my calls. I just live on Zoom all day like everybody else. So yeah, I actually use shortcuts in conjunction with other stuff on my device a lot that I’m very proud of. I guess we’ll kick it over to Tom.

Speaker 2 (00:59:30):
Yeah, I’ve got a couple that I’ve been tinkering with for a while. When I was in the consulting land, I had a really great one in iOS that would figure out where I was, take my location information, set my direction, point for home, and then message my wife how long it would take for me to get home. That’s cool. So that it was kind of like the, and when Charlie got the Apple Watch, we added Charlie to that one. And so it kind of tells the whole family, Hey, I’m on the way home, and I use that one a fair bit. I’ve got another one that I’m working on that I haven’t gotten finished yet that I need to finish. I have a pie hole on my network. If you’ve ever used a pie hole, it’s a great way to intercept your d n s and maybe turn off some of those ad tracking sites that are all over the Internets these days. I found out that one of the Apple TV apps that we use, not a small amount, is for the cw. If you have the pie hole removing tracking, the CW app does not play video.

Speaker 3 (01:00:30):
Channel 10 in Australia does exactly the same thing.

Speaker 2 (01:00:35):
And so what I’m working on is a way to essentially say, alright, run the shortcut, set it to disable the pie hole, wait 60 seconds and then turn it back on again. And so that essentially, hey, I will let you track me for this one action to hit play and then it has to go away again. I’m struggling with some of the A P I documentation for the pie hole so that I can submit the right authorization request. And I’m struggling with that and it’s one of those copious free time projects. But in the meantime, I just have a web clip to the homepage of the pie hole on my phone. And so I do it that I do it the old fashioned way, like an animal. But Jeremy, how about you? What are you excited about for shortcuts these days? What’s your favorite shortcut?

Speaker 4 (01:01:23):
Yeah, mine is a very simple shortcut, but it is nerdy in a very Apple employee kind of way. I have three kids, but two with Apple watches because of course, and I said a very simple shortcut that basically when they’re walking to school each day prompts me to send them a message of have a great day. So that’s the simple thing, but it has the tie in to the fact that they both have Apple watches, which like I said, of course, of course they will. But yeah, no, I like the other one. It’s also just, I think the first one that everybody sets up is when I connect to my car, start this type of music or this podcast, you can’t go wrong there. Oh

Speaker 2 (01:02:18):
Yeah, that’s a great gateway. Drug for shortcuts is like set the mood. Exactly.

Speaker 3 (01:02:24):
Maybe we should build a Mac admins podcast shortcut. We can send to people that will

Speaker 2 (01:02:29):
Automatically start the pod when I get in the car. That’s good. Yeah, exactly. There you go. Yeah, so if you’re out there listening and you’ve got a great shortcut, I’d love to create a panel episode where we talk through the shortcuts. We’ve had just had a couple on HomeKit, we’ve had a couple over the years on a couple of other different topics. So if you’ve got a great application for shortcuts for a Mac admin, drop us a note. I’m just tom at mac admin’s podcast.com and you can send us a note and we’ll figure out how to get you on. We’ve

Speaker 3 (01:03:00):
Got Damien Kavanaugh coming on in a couple of weeks and he goes deep with shortcuts and home automation and self-automation and all sorts of things. So I think we’re going to learn some cool use cases we would never have thought of there.

Speaker 2 (01:03:18):
Well, Jeremy, thank you so much for joining us this week. It’s been a great pleasure to talk with you about all of the new things that we get to use this year. Thanks so much for joining us. Thank you for having me. It’s always fun. And thanks so much for our wonderful sponsors this week. That is our friends at Kaji and Collide. And thanks everybody. We’ll see you next time.

Speaker 6 (01:03:40):
See you later.

Speaker 7 (01:03:58):
The MCAD Men’s Podcast is a production of MCAD Men’s Podcast L L C. Our producer is Tom Bridge. Our sound editor and mixing engineer is James Smith. Our theme music was produced by Adam Coga the first time he opened. GarageBand sponsorship for the Mac Admins podcast is provided by the mcad admins.org Slack, where you can join thousands of MCAD admins in a free Slack instance. Visit mac admins.org and also by techno missionary L L C. Technically we can help. For more information about this podcast and other broadcasts like it, please visit podcast dot mac admins.org. Since we’ve converted this podcast to A P F S, the funny metadata joke is at the end.