📱 All the New MDM Features from Apple’s WWDC25
Apple's WWDC25 unveiled a massive slate of upgrades to Mobile Device Management (MDM), showcasing a vision centered around declarative management, automation, and streamlined identity. Here's a partial breakdown of everything new for IT administrators with Apple environments.
🔧 1. Apple Business & School Manager Gets Smarter
- Managed Apple Accounts: A new downloadable report lists personal Apple IDs linked to your domain, helping you steer users toward official managed accounts.
- Block Personal Apple IDs: IT can now block personal IDs during Setup Assistant—even without MDM configuration.
- ABM/ASM APIs: New APIs allow you to:
- Retrieve device inventories
- Reassign devices to different MDM servers
- Check enrollment statuses
- Vision Pro Enrollment Support: Use Apple Configurator to enroll Vision Pro. Pairing via iPhone is now available.
- Server Migration Tool: Migrate devices between MDM servers without wiping them. Set migration deadlines with fallback auto-migration if users don’t act.
🛠 2. Declarative Device Management (DDM)
- Expanded Support: DDM now supports:
- Software updates for iOS, iPadOS, macOS, tvOS, visionOS
- Vision Pro
- New Update Controls: Define update cadence, defer periods, and enforce deadlines—all handled on-device. Traditional commands are deprecated.
🌐 3. Safari & Network Management
- Safari Configuration via DDM:
- Push bookmarks
- Set default homepages
- Managed Network Relays: Now support FQDN-based traffic routing for more control over network traffic in enterprise setups.
🔁 4. Return to Service (Shared Devices)
- Preserve Managed Apps: Erase iPads, iPhones, or Vision Pro for reuse without wiping managed apps.
- Vision Pro Support: Control Center includes “Reset for Next User” to streamline shared use cases.
📦 5. Smarter App Management
- Per‑App Deployment Controls:
- Pin versions
- Block cellular downloads
- Monitor install/update status
- macOS App Distribution:
- Deploy apps/packages declaratively on macOS Tahoe
- Create self-service catalogs with the new
ManagedAppDistribution
framework
🛂 6. Identity & Access Enhancements
- Setup Assistant SSO:
- During ADE on macOS Tahoe, you can configure Platform SSO and link to Managed Apple ID before login.
- Tap‑to‑Login / Authenticated Guest Mode:
- Use iPhone, Apple Watch, or NFC badge to unlock shared Macs.
- All data is wiped after logout—ideal for labs and shift-based workers.
🔄 7. Migrating Devices to a New MDM Without Re-enrolling
For the first time, Apple lets you move devices between MDM servers without wiping or re-enrolling them. This is ideal during MDM vendor transitions or domain restructures and something I will personally test heavily when it is available. Will be very interesting to see how it work in practice.
🔑 Key Features:
- No Factory Reset Required: Devices retain all data and apps.
- Deadline Control: Set a grace period before automatic migration.
- Cross‑platform Support: Works across iPhone, iPad, Mac, Apple TV, and Vision Pro.
- ABM/ASM Interface: Reassignment done via Apple Business/School Manager.
🧭 Step-by-Step:
- In ABM/ASM, navigate to Devices > Assign to Server
- Select the new MDM server
- Set the migration window
- Devices will prompt users (or auto-migrate after the deadline)
🖼 Example Screenshots:
Above: Device selection screen in Apple Business Manager
Above: New server assignment view via Apple Configurator (visionOS example)
💡 Why It Matters
Benefit | How It Helps |
---|---|
Scalability | Declarative model means less MDM traffic and higher reliability |
Efficiency | Faster deployment, shared device prep, and app control |
Security | Tighter control over identity, accounts, and update timelines |
User Experience | More seamless onboarding, shared use, and app management |
🧠 TL;DR: Apple MDM in 2025
- ✅ Vision Pro fully supported
- ✅ Seamless device-to-server migration
- ✅ Declarative control over Safari, apps, and updates
- ✅ Identity-first onboarding and access
- ✅ Shared device workflows—reimagined