League of Champions Q3-2024 Q&A
Following our recent League of Champions Q3-2024 session, we reviewed the questions and answers shared by our community of Addigy Champions. Below are the key takeaways from the Q&A, providing insights and practical guidance on the challenges and solutions discussed during the event.
OKTA Platform SSO Integration & Addigy Identity
- Question: Will Platform SSO use the OKTA Platform SSO service or Addigy Identity? (Where the OKTA identity works rather than needing to have OKTA API services.)
- Answer: Both are going to be paths forward. We have been working with Okta and testing the Platform SSO integration (the profile payload and new WWDC24 keys are all live in Addigy today.) What is unclear is the exact pricing structure from Okta on what is needed to enable Platform SSO on their end.
- Question: Where can I find directions for setting up device identity in Okta for Addigy?
- Answer: How to Configure Okta with Identity
Shared iPads & Okta Verify
- Question: Is there a different option to allow multiple users on an iPad? How isolated is each user on the iPad? Could I use a shared iPad to run Okta Verify? We have a group of users who need a shared device.
- Answer: The only path for multiple sandboxed users on an iPad is Shared iPad. See Shared iPad overview from Apple and this Addigy Shared iPads article. The OKTA verify part should be confirmed with Okta, but if the Okta Verify app runs like Microsoft authenticator, it would be able to have a unique session for each user on the Shared iPad.
Okta Workflow
- Question: What Okta license is required to use Okta Workflow with Addigy?
- Answer: It’s best to confirm with Okta. You will need this feature: Okta Workflows
Suppressing Legacy Screen Prompts
- Question: Do we know yet if we will have a way to suppress the periodic security permission notifications being introduced in Sequoia for screen recording?
- Answer: Sequoia prompts for vendors using legacy screen capture methods cannot be suppressed. This is an intended process by Apple. Please reach out to the vendor to make sure they are updating their tool to use the new Apple method. We have reached out to Splashtop, and they have attested that they will have a new version that supports Sequoia and the previous OS Versions for the Sequoia release. See: Splashtop Streamer – Additional Permission Popup in macOS 15 devices.
- Question: Do we know if a standard user will need to enter any credentials after clicking on “Continue To Allow?”
- Answer: These questions may be better answered in the AppleSeed Private Beta channel, and if you want to join there, let us know, and we can guide you through the process, but rumor is on the latest beta, as of yesterday/today, it’s now available on a monthly cadence. However, regarding your specific question, I haven’t seen the need to enter any credentials, as it would still require the PPPC permission approval, which does require admin privileges or an MDM Profile to allow a standard user to share their screen.
Self Service for iOS and iPadOS
- Question: Is Self Service customizable on a policy level?
- Answer: Yes, it is customizable at a policy level, just like Self Service for macOS.
- Question: Does the iOS Self Service app have the ability to deploy profiles?
- Answer: It is just apps for now.
- Question: Is Self Service only for Supervised devices, or can it also be used for unsupervised and BYOD devices?
- Answer: It should be supported in both, as we simply need to deploy the app and a managed app configuration. The managed app deployment is what allows this for the unsupervised device. The BYOD I am not sure of off the top of my head. We will have to confirm.
tvOS and iOS Updates
- Question: Do iOS updates relate to tvOS as well?
- Answer: We have a tvOS Updates section in the System Updates Tab. The only thing that does NOT apply is the DDM OS updates. Apple does not yet support DDM OS Updates on tvOS. tvOS does get OS updates via MDM. Also, the new WWDC 24 profile keys that were talked about: some do apply to tvOS, but not all.
Splashtop SOS for iOS and iPadOS
- Question: What if we have a Splashtop license outside of Addigy?
- Answer: You can still use the Addigy version included in your subscription. It’s important to note that there have been some issues with having multiple Splashtops on macOS devices, so we recommend using the Addigy version only. If your iOS devices already have Splashtop SOS, you don’t need to re-install the end-user application.
- Question: If the iPhone is set up with Addigy for MDM, can I remote into it with this new feature?
- Answer: Yes, but it is view-only, as Apple does not allow for enterprise remote control on iOS.
- Question: If we already have Splashtop (for our Windows users), can we use the existing license natively in Addigy?
- Answer: If you have Addigy Splashtop Enabled, you can launch a session directly from the console, as we provide the licensing. For iOS devices, you must ensure the Splashtop SOS mobile app is installed on the iOS device. You can deploy that automatically using Addigy’s Apple Apps integration.
- Question: Does Splashtop Remote work for Windows-to-iPhone remote sessions?
- Answer: Splashtop SOS will launch a remote session to an iOS device, and it will leverage the admin’s local Splashtop Viewer, the same one used for Splashtop Sessions, to macOS.
Who is my Customer Service Manager (CSM)
- Question: How do we find out who our CSM is?
- Answer: This article explains where in the platform you can find your CSM: Customer Success Manager Information in Help Center
New WWDC MDM Keys and Apple Intelligence
- Question: Where will the MDM keys mentioned during the presentation be published?
- Answer: The new WWDC 24 keys have already been released in the product in a few spots: Restrictions, VPN, Security & Privacy, and see links below. We’re also adding these keys in other places like Automated Device Enrollment (coming very soon) so that the users will not be prompted during an ADE to enable it. And we will be posting a blog summary soon.
SCEP cloud-based certificate authority (CA)
- Question: If you are an M365 shop, you can create a SCEP cloud-based certificate authority (CA) and store things in Azure Key Vault. I love it: https://www.scepman.com/.
- Answer: This is great!! Thank you for sharing this!!
Future Improvements to Flex Policies
- Question: Are there plans for any quality of life improvements for flex policies? For example:
- Show a list of configured assets on the policy summary page
- Show policy names, not numbers, in rules (hover to see rule number?)
- Complex rule builder (arbitrary and/or combinations with brackets)
- Answer: We’ve had conversations around these enhancements, are aware of the issues, and have them documented to work on. However, we don’t have a timeline on when they will ship. I would love to learn more about what you want to achieve with the complex rule builder. Please email [email protected] with that information.
Directory Based Management
- Question: Are there any plans to introduce some form of directory-based management via a synchronized IDP or directory service? E.g., flex policy rules that trigger from user/device group memberships in the linked directory service that respond to changes in group membership in real-time.
- Answer: Yes, this is still in the early days of discovery, but it’s coming. If you’d like to share your use cases for this feature and how you intend to use it, please contact [email protected], and we can chat more!
- Question: As a pre-cursor to complete directory-based management, would it be possible for Addigy Identity to pull a list of a user’s group memberships along with the other user details currently collected? Is the user information collected via Addigy Identity updated regularly? If not, can it be?
- Answer: We already do this for Azure and Google Identity! The user attributes get saved as Device Facts, and you can build Flex Policies based on them. Your CSM can help you get rolling with that if you contact them.
- Question: I’m wondering if it’s possible to add a list of group memberships to the current attributes collected, perhaps as a single Device Fact containing a comma-separated list of the group names. Maybe a second Device Fact contains a comma-separated list of group IDs, too. We could then use the “Contains” option in Flex Policies to assign policy membership based on the contents of these new facts. This would be a stop-gap until the full directory-based management features are introduced.
- Answer: I put in a feature request for this suggestion so the appropriate team can see this feedback. Thank you for the use case!
- Question: Will ‘get device info by email’ only return currently logged-in sessions or any previous ones the user was on?
- Answer: If you have Addigy Identity attributes, it will log the users who access the device, and you can use those in other places in the platform. e.g., Flex Policies, etc.
- Question: Does Addigy Identity attributes increase dependency on Okta services, preventing users from logging in if Okta is unreachable/down?
- Answer: You can determine how you want to configure Addigy Identity, allowing them to log in locally using the Identity Screen or revert to the local login window so they can access the device when they cannot connect to the internet. However, if you could force them to use Okta every time, and then they would need access to the internet.
Compliance Benchmarks
- Question: When can we expect NIST to remediate?
- Answer: We are working on rolling that out in the next 1-2 months. As a friendly reminder, it’s not recommended to apply the whole NIST 800 baseline. These baselines are meant to be Rule catalogs (NIST 800, CMMC) and are not intended to be applied with all the rules. CIS Level 1 is a great starting point, and you can build from there
- Question: The new DISA/CMMC benchmarks — will those work with the latest compliance report export feature?
- Answer: Yes — and with Conditional Access!
- Question: If you turn off CIS rules, they are not removed on the devices with the benchmarks installed.
- Answer: This is how all Apple MDM Profiles, Configurations, and Settings work. Unless a command is sent to explicitly change it back, settings remain, and the restriction is removed (allowing them to be changed.)
- Question: With compliance rules and other profiles, is there a way to see/edit where there are conflicts? I see conflict warnings, but the current hunt is a real challenge.
- Answer: We agree the current hunt is challenging, and there isn’t always a straightforward way to identify conflicts. We encourage reviewing the benchmarks and removing any duplicate settings or existing configurations in favor of the compliance engine frameworks (e.g., CIS L1/DISA/etc.). We are exploring how to identify conflicts more easily!
Addigy Assist [Future Feature]
- Question: Excited for Addigy Assist – does that mean we can scope scripts to this that should only run once per user account?
- Answer: I don’t believe this would specifically add that, but maybe we can quantify this more? Addigy Assist would allow you to show specific processes running during first time install.
- Question: Will Addigy Assist complete or walk a user through the Azure/Entra requirement to “Register Only” for the device to support compliance and Conditional Access?
- Answer: Unanswered
TempAdmin via Self Service
- Question: When is TempAdmin coming? I am very interested.
- Answer: We tentatively aim for it to be out in late September. Of course, things can change, but that’s the current timeline!
- Question: For the TempAdmin, will this have to be enabled by an Admin, or will it also be available as a Self Service option?
- Answer: Initially, it will only be available in the Admin Console. Please contact [email protected] for more information on when it will be available in Self Service.
Set Static Fields via a Script
- Question: Is it possible, or will it be possible in the future, to set Static Fields via a script running on the device? E.g., until the Addigy LAPS solution is available, it would be useful to store the random password generated on a device by a LAPS script in a Static Field for this device.
- Answer: There might be something we can do with API v2 Static Field endpoints and deploying an API key as a secret. But I need to dig into it a bit more before I can confirm this. It might be too frail of an implementation
Device Enrollment
- Question: Are there any plans for a web page for manual device enrollment, rather than having to distribute a file or download URL (that can be flagged as dangerous by browsers in some circumstances)?
- Answer: Please submit a feature request to [email protected]! Great Idea!
Apple Passwords App
- Question: Does anyone know if the upcoming Apple Passwords app will be manageable with Managed Apple Accounts?
- Answer: Good question. We don’t know. You will be able to install and remove the app using the Addigy Apps & Books integration. Beyond that, we will have to wait and see!
Summary
We’re committed to continuously evolving our solutions to meet the demands of modern IT environments. As we move forward, our focus remains on refining the Addigy platform to ensure it provides the flexibility, security, and efficiency required to support diverse Apple device ecosystems. If you have additional questions or feedback, please send them to [email protected].
If you’re new to Addigy, we invite you to Schedule a Demo or start a Free Trial.