iOS 11.3 Beta MDM improvements

From the Apple Release Notes:
Managed Software Updates

For any supervised iOS device, you can send an MDM restriction that prevents users from manually updating a device over-the-air for a specified time; users can still update their devices with Apple Configurator or iTunes if they have access. When you implement this restriction, the default delay is 30 days, and is triggered the moment Apple releases an iOS update. However, you can change the default number of days you prevent updates, anywhere from one to 90 days. Once the delay expires, users get a notification to update to the earliest version of iOS that was available when the delay was triggered.

You can test this feature by setting a delay on a device running iOS 11.3 beta 1. It will be honored by future beta releases of iOS 11.3. For more information about managing software updates, see the updated iOS Lifecycle Management guide in the AppleSeed for IT - iOS 11 Downloads tab.
USB Restricted Mode

To improve security, for a locked iOS device to communicate with USB accessories you must connect an accessory via lightning connector to the device while unlocked – or enter your device passcode while connected – at least once a week.

If you use iPod Accessory Protocol (iAP) USB accessories over the Lightning connector (such as charging and storage carts or assistive devices) or connect to a Mac/PC you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.

This mode can be managed on supervised devices using the new Restriction key allowUSBRestrictedMode. When that key is set to false you will never need to enter a passcode to connect to a USB accessory. Also, this mode is disabled on devices that are updated to iOS 11.3 if they are supervised but not enrolled in MDM.

Device Management Enhancements

You can now manage the following settings using the latest beta of Profile Manager or Apple Configurator. Contact your MDM vendor for information about supporting these features.

  • Delay the user’s ability to see and install iOS updates on supervised devices.
  • Specify an iOS update by version number when using the ScheduleOSUpdate command on supervised devices.
  • Prevent contacts in managed accounts from being used in unmanaged apps or accounts. (Contacts now obey existing managed data restrictions.)
  • Disable USB Restricted Mode on supervised devices.
  • Enable and disable Bluetooth on supervised devices (if Bluetooth settings are not restricted).
  • Determine whether an installed app has an update available, came from the App Store, is an Enterprise app, is a beta, and is assigned to the device instead of a user.
  • Arrange Web Clips with the Home Screen Layout payload.
  • Skip the Proximity Setup screen during initial setup after using the EraseDevice command.
  • Skip the Privacy screen during setup.
  • Require teacher permission for a student to leave an unmanaged class in Classroom.
  • Restrict the Remote app to connect to specified Apple TVs.
  • Re-install deleted system apps with the InstallApplication command.

Preventing the contacts from managed accounts to unmanaged apps sounds like a good solution to prevent e.g. WhatsApp from accessing business contacs. I hope it works as good as i imagine.

1 Like

I wonder how is that supposed to work. My best guess is that we are meant to use the Identifier parameter of the command to specify a system app id.

this is interesting. Has anyone tested it yet?

Which setting do you mean?

Our MDM hasn’t enabled these features yet. Once they do, I’ll let you know.

I found out that the restore system apps features is a bit strange. First, you may only restore apps that may be removed from the Home screen, which is logical enough. Those apps are listed here.

However, the InstallApplication command still fails for the following apps:

  • Weather
  • Voice memos
  • Stocks
  • Compass
  • Calculator
  • Watch

The error is The iTunes Store ID of the application could not be validated. - Could not validate app identifier. Tested in Beta 3 and I’m not sure if this is intended or a bug. I guess we’ll find out eventually.

Edit: Alright, the apps I listed above may only be installed on iPhone and iPod devices and my tests were on an iPad. Everything looks good.

I found this list of bundleIDs, maybe this helps
iOS system app bundleIDs

App Store -
Calculator -
Calendar -
Camera -
Clock -
Compass -
Contacts -
FaceTime -
Find Friends -
Find iPhone -
Game Center -
Health -
Home -
iBooks -
iTunes Store -
Mail -
Maps -
Messages -
Music -
News -
Notes -
Photos -
Podcasts -
Reminders -
Safari -
Stocks -
Tips -
Videos -
Voice Memos -
Wallet -
Watch -
Weather -

Looking through iOS 11.3 MDM spec

Device will provide some additional flags when queried for applications with InstalledApplicationList

Query Reply Type Comment
AppStoreVendable Boolean If true, the app came from the store and can participate in store features.Availability: Available in iOS 11.3 and later.
DeviceBasedVPP Boolean If true, the app is distributed to the device without requiring an Apple ID. Availability: Available in iOS 11.3 and later.
BetaApp Boolean If true, the app is part of the Beta program. Availability: Available in iOS 11.3 and later.
AdHocCodeSigned Boolean If true, the app is ad-hoc code signed. Availability: Available in iOS 11.3 and later.
HasUpdateAvailable Boolean If true, the app has an update available. This key will only be present for App Store apps. On macOS, this key will only be present for VPP apps. Availability: Available in iOS 11.3 and later and in macOS 10.13.4 and later.