What’s new in Apple platform deployment

New deployment and device management features for iPhone, iPad, Mac, Apple TV, Apple Watch, and Apple Vision Pro devices include updates for the following operating systems (or earlier):

iOS 18.5
iPadOS 18.5
macOS 15.5
tvOS 18.5
watchOS 11.5
visionOS 2.5

Note: This isn’t a full comprehensive list of all new and changed content in Apple Platform Deployment. For a more complete list, see the document revision history.

You can participate in testing these features using beta versions of the operating systems by signing up for AppleSeed for IT. For more information see the AppleSeed for IT portal.

For more information, see the WWDC25 video What’s new in device management.

Apple School Manager and Apple Business Manager APIs

Apple School Manager and Apple Business Manager support APIs for organizations to automate device management tasks. For example, organizations can use those APIs to integrate with procurement and asset systems.

Users with the roles of Administrator and Site Manager (Apple School Manager only) can create API accounts that apps can use to access organization data and perform device management tasks.

The APIs support the following endpoints:

Name	Endpoint
List of Device Management Services	`GET /v1/mdmServers`
List All Devices	`GET /v1/orgDevices`
Get Device Information	`GET /v1/orgDevices/{id}`
Get Device Management Service Information for a Device	`GET /v1/orgDevices/{id}/relationships/assignedServer`
Get All Devices Assigned to Device Management Service	`GET /v1/mdmServers/{id}/relationships/devices`
Assign or Unassign Devices from Device Management Service	`POST /v1/orgDeviceActivities`
Get Batch Action Activity Status	`GET /v1/orgDeviceActivities/{id}`

For more information, see:

Apple School and Business Manager APIs on the Apple Developer website
Create an API account in the Apple School Manager User Guide
Create an API account in the Apple Business Manager User Guide

Device management migration

A device management service is an essential component to remotely manage and secure Apple devices. Organization-owned devices can automatically enroll in a device management service as part of the Setup Assistant process after unboxing the device, powering it on, and connecting it to a network. The current reenrollment of organization-owned devices in another device management service requires a full erase of the device or a complex manual process.

For more information, see Migrate managed devices to another device management service.

Network relay hostnames

On devices with iOS 18.4, iPadOS 18.4, macOS 18.4, tvOS 18.4, visionOS 2.4, or later, the network relay configuration com.apple.relay.managed supports FQDNs (hostnames) in addition to domain-based rules. This adds flexibility to control which traffic routes through the relay. The following options are available:

If your organization specifies MatchDomains, excluded FQDNs need to be subdomains to take effect.
If your organization doesn’t specify MatchDomains or FQDNs, all traffic (except excluded domains) goes through the relay. Organizations can also exclude FQDNs. Exact matches bypass the relay.

For more information, see Use network relays.

EnrollmentSSO and required app

EnrollmentSSO allows a dedicated identity app to handle authentication during device enrollment. This enables secure, single sign-on access to organizational resources using the organization’s identity provider (IdP) and removes repeating authentication prompts.

As part of the enrollment process, the required app automatically installs and a device management service enforces it. Users can’t delete it, ensuring critical apps—like a device management service’s employee self-service app—always install when enrolling or reenrolling the device.

On devices with iOS 18.4, iPadOS 18.4, visionOS 2.4, or later, account-driven enrollments support the ability to configure both of the following, which allows for more flexible deployment scenarios:

Authenticate using EnrollmentSSO
Install a required app

For more information, see Enrollment Single Sign-on for iPhone, iPad, and Apple Vision Pro.

Desktop and Documents syncing using File Provider extensions

Users appreciate the ease of use of iCloud Desktop and Documents, which keeps their Desktop and Documents folders on Mac synchronized and accessible from any device. In an organizational setting, they may be using other cloud storage solutions. If the cloud storage solution integrates with the File Provider extension, the same seamless user experience and functionality is available to users.

On a Mac with macOS 15.2 or later, organizations can use the com.apple.fileproviderd configuration to control which File Provider extensions to use:

For Desktop and Documents folder synchronization
With the internal storage volume or also external volumes

Automatic reboot

Automatic Reboot is a security mechanism introduced in iOS 18.1 and iPadOS 18.1 that leverages the Secure Enclave to monitor device unlock events. If a device remains locked for a prolonged period, it automatically reboots, transitioning from an After First Unlock state to a Before First Unlock state. During the reboot, the device purges sensitive security keys and transient data from memory.

For additional control, iOS 18.4 and iPadOS 18.4 introduced the IdleRebootAllowed setting to allow device management administrators to enable or disable Automatic Reboot. With this setting, administrators can programmatically enable or disable Automatic Reboot behavior to align with organizational security protocols and operational requirements.

Note: Automatic Reboot is disabled by default on supervised devices.

Although Automatic Reboot enhances security, it can inadvertently cause devices to lose their Wi-Fi connection upon reboot. This loss of connectivity may disrupt device management service operations, especially in environments where persistent network access is critical.

For more information, see Device management command settings options list.

Configuring Managed Apps

Organizations often need to customize the user experience of an app according to their specific needs or even for a particular group of users.

On devices with iOS 18.4, iPadOS 18.4, visionOS 2.4, or later, organizations can deploy app-specific configurations and secrets (like passwords, certificates, and identities) in a secure way to Managed Apps that adopt the ManagedApp framework. This allows organizations to customize the behavior of an app, streamline the user experience, and strengthen security with the com.apple.configuration.app.managed configuration. Examples include:

Preconfigure a Managed App or app extension for a specific device or user.
Use automatically provisioned identities for authentication and signing.
Securely receive API access tokens.
Acquire certificates for custom trust (pinning certificates).
Use hardware-bound keys and Managed Device Attestation for strong device authentication.

For more information, see the ManagedApp framework on the Apple Developer website.

Platform Single Sign-On attestation

On a Mac with macOS 15.4 or later, a Platform SSO extension on a supervised Mac can request an attestation with the AllowDeviceIdentifiersInAttestation configuration key to get strong assurance about device identifiers (UDID and serial number).

For more information, see Platform Single Sign-on for macOS.

Helpful?