At WWDC26 on June 8, 2026, Apple published its annual "What's new for enterprise" deployment guide alongside the keynote. For IT teams, this year's message is unambiguous: the OS 27 generation (iOS 27, iPadOS 27, macOS 27, tvOS 27, visionOS 27, watchOS 27) is when declarative device management (DDM) stops being optional. Several legacy MDM mechanisms don't just get deprecated — they stop working.
This article summarizes the five areas Apple covered — Apple services, device management, app management, identity integration, and education — and closes with a checklist of what to do before OS 27 ships this fall.
1. Apple Services: Apple Business Matures
- Apple Business platform — the unified platform that merged Apple Business Manager, Business Essentials, and Business Connect (launched April 2026) is now Apple's anchor for enterprise services, available in 200+ countries with Admin APIs for automating device, inventory, and assignment workflows. We covered it in depth in our Apple Business article.
- Volume purchasing for app subscriptions — Apple Business and Apple School Manager can now license auto-renewing app subscriptions and assign them to users (not devices) through device management. This finally gives IT a sanctioned way to centrally purchase subscription-based apps.
- Richer device details for MDM — with X-Server-Protocol-Version 10, the
GetDeviceDetailsendpoint returns Wi-Fi and Bluetooth MAC addresses, EID / IMEI / MEID for cellular devices, and replacement status; a newGetReplacementDetailsendpoint reports original and replacement serial numbers with timestamps — useful for asset systems that track repairs and swaps.
2. Device Management: the Big One
Network settings go declarative
Seven new DDM configurations bring the entire network stack under declarative management: VPN plugins, IKEv2, IPsec, Always On VPN, DNS proxy, encrypted DNS, and network relays (com.apple.configuration.network.*). The practical win: credentials ship as separate declarative assets instead of being baked into profiles, so certificates can be renewed automatically and reused across configurations without re-pushing entire profiles.
Stricter TLS for management traffic
On OS 27 devices, everything touching device management — enrollment, profiles, app installation, software updates — must use TLS 1.2 or later with cipher suites and certificates that meet the new App Transport Security (ATS) requirements. If you run an on-premises MDM, SCEP service, or internal distribution server, audit its certificate chain now.
Legacy software update management is removed
This is the hardest cutover: on all 27.0 releases, the legacy MDM software update commands, queries, deferrals, and recommended-cadence settings no longer function. Organizations still managing updates the old way must move to declarative software update enforcement before upgrading.
Other notable changes
- Legacy profiles as declarative assets — existing configuration profiles can be delivered through DDM via
ProfileAssetReference, easing the migration path. - Better status reporting — new status items report enrollment type, Shared iPad status, APNs details, Lockdown Mode status, and hardware health (baseband, camera, Face ID / Touch ID, NFC, Ultra Wideband) on iPhone and iPad.
- AppleCare log collection — new MDM commands remotely trigger diagnostic log collection, with logs uploaded straight into an AppleCare support ticket.
- Backups no longer carry MDM state — on iOS 27, iPadOS 27, and visionOS 27, restoring a backup no longer restores device management enrollment; devices in Apple Business / Apple School Manager automatically re-enroll through Automated Device Enrollment. Repair and replacement workflows get simpler and safer.
- Return to Service improvements — automatic enrollment retry, language / region pre-configuration, user initiation from Control Center, automatic launch after a Shared iPad session timeout, and the ability to force a minimum OS version during re-enrollment.
- Content caching managed via DDM — macOS 27 brings content caching under declarative configuration with rich status reporting (storage, cache pressure, parents and peers) and optional JSON status POSTs to a custom HTTPS endpoint. The legacy
com.apple.AssetCache.managedprofile is deprecated. - Apple Intelligence, Siri, and keyboard controls — declarative configurations (from OS 26.4) govern Genmoji, Image Playground, Writing Tools, external intelligence providers, Siri behavior, and keyboard features like predictive text and auto-correction.
3. App Management
- App and binary launch control — iOS 27, iPadOS 27, tvOS 27, and visionOS 27 gain
AllowedApps/DeniedAppslists by bundle ID; macOS 27 gainsAllowedBinaries/DeniedBinariesusing CD Hash and Team ID, plusAlwaysAllowManagedAppsto automatically trust managed apps. - Consolidated privacy prompts — a single permission dialog can cover multiple permissions, showing the organization name and justification. IT can preset defaults for Accessibility, Bluetooth, Camera, Microphone, Location, Local Network, and more — and Safari camera / microphone permissions can be preset per domain, including wildcard domains.
- ManagedApp framework on macOS 27 — app configurations and hardware-bound identities deploy securely via
com.apple.configuration.app.managed, replacing legacy MDM app configuration commands. - App Attest on macOS 27 — hardware-backed keys in the Secure Enclave let backend services verify that requests come from a legitimate, unmodified app.
- Intel transition reality check — macOS 26 is the final release with full Intel support, followed by three years of security updates. OS 27 fleets are Apple silicon fleets.
4. Identity Integration
- Extensible SSO / Platform SSO via DDM —
com.apple.configuration.extensible-ssobrings SSO settings into declarative management on iOS 27, iPadOS 27, macOS 27, and visionOS 27. - Web-based authentication for Platform SSO — macOS 27 can render the IdP's actual sign-in page at the login window, Lock Screen, and FileVault unlock, including multi-step flows and QR code sign-in — enabling phishing-resistant, passwordless flows at the earliest authentication point. URL allow lists (FQDN, no wildcards), offline grace periods, and optional password sync round it out, and Touch ID can be required.
- Network access from the login window — supervised macOS 27 Macs can allow Wi-Fi switching and captive portal authentication directly from the login window (
ForceCaptivePortalConnectionFromLockScreen) — a long-standing pain point for laptops on guest and venue networks. - Authenticated Guest Mode — FileVault now supports IdP-authenticated temporary users on shared Macs, and Shared iPad is gaining temporary sessions authenticated by Managed Apple Accounts.
- Microsoft Graph API — Mail, Calendar, Contacts, Notes, and Reminders move from Exchange Web Services (EWS) to the Graph API in macOS 27, with declarative configuration — important for Microsoft 365 environments, since Microsoft is retiring EWS.
- Shared Signals Framework 1.0 — Apple's IdP synchronization now aligns with the ratified OpenID Shared Signals Framework specification.
5. Education
- Guided Browsing / Lock to URL — Classroom on iPadOS 27 and macOS 27 can lock student devices to instructor-specified websites in a full-screen guided browser, with content filtering and accessibility intact.
- Multi-App Mode — lock student devices to a set of approved apps, modifiable mid-session.
- Assessment Mode on macOS 27 — a standardized-testing environment with system-level control over the Dock, Menu Bar, and pre-checks.
What to Do Before OS 27 Ships
- Audit legacy software update management — if your MDM workflows still use the old update commands or deferral restrictions, they will stop working on 27.0. Move to declarative software update enforcement first.
- Verify TLS / ATS compliance — check certificate chains and cipher suites on every server involved in enrollment, profile delivery, app distribution, and updates.
- Plan the DDM migration — network configurations (VPN, DNS, relays), app configuration, and SSO are all declarative now;
ProfileAssetReferencegives you a bridge for legacy profiles, but a bridge is not a destination. - Review repair / replacement workflows — backup restores no longer carry MDM enrollment; confirm your devices are in Apple Business / Apple School Manager so Automated Device Enrollment picks them up.
- Inventory Intel Macs — macOS 26 is the last full Intel release. Budget replacement cycles accordingly.
- Evaluate Platform SSO web authentication — if your IdP roadmap includes passwordless or phishing-resistant authentication, macOS 27's login window integration is the piece that was missing.
How KlickKlack Can Help
KlickKlack is the only partner worldwide holding all three Jamf certifications — Elite Partner, MSP, and MSSP — with years of Apple device management deployments across semiconductor, electronics manufacturing, finance, government, and education.
- OS 27 readiness assessment — auditing your current MDM setup for legacy mechanisms that break on 27.0
- DDM migration planning — moving profiles, network settings, software update enforcement, and app configuration to declarative management
- Platform SSO design — integrating web-based authentication with Microsoft Entra ID, Okta, Google Workspace, or your IdP
- Apple Business + Jamf architecture — combining Apple's free baseline with enterprise-grade control where it matters
Further reading: Apple MDM Complete Guide · Apple Business Is Live
Contact KlickKlack for a free consultation on your OS 27 readiness.