Every year, WWDC gives us a window into where Apple is heading with enterprise device management. This year's session on Apple device management didn't just introduce new features. It drew a line in the sand. Declarative management, once described as "the future," is now officially the standard. And for IT teams managing Apple fleets, that shift carries real consequences.
We watched the full session so you don't have to. Below is a clear-eyed breakdown of every major announcement, what each one actually means for your day-to-day operations, and how SureMDM is positioned to help you take full advantage from day one.
Declarative Management: Done Debating, Time to Deploy
For a few years, Apple has been saying declarative management is where things are headed. This year, Apple engineer Cyrus Daboo made it official: "The standard for device management is declarative management."
What does that mean in practice? Declarative management moves the intelligence from the server to the device. Instead of a server repeatedly polling devices for status, devices monitor their own state and report changes automatically. The result: less server load, faster responses to configuration drift, and a fundamentally more scalable architecture — especially as fleets grow into the thousands.
If your MDM solution is still relying on legacy MDM commands for most of its heavy lifting, you're carrying technical debt. The new features Apple announced this year are all built on the declarative model. And SureMDM has been building alongside this shift — so when these capabilities land in devices, your workflows won't skip a beat.
What's New — Feature by Feature
Apple Business Expands to 200+ Countries
Apple Business is now a single, unified platform combining zero-touch deployment, Managed Apple Accounts, and built-in device management — and it's now available in over 200 countries and regions. New APIs let organisations automate blueprint creation, user management, app licence tracking, and audit events. For global enterprises and growing businesses alike, this dramatically lowers the barrier to a well-managed Apple fleet from day one.
Volume Licensing for App Subscriptions
IT administrators can now purchase and manage app subscriptions in bulk through Apple Business Manager and Apple School Manager, using the same workflows already in place for app distribution. No more juggling individual accounts or manual renewals. Subscription-based apps now sit under the same managed umbrella as one-time purchases — a big win for organisations rolling out productivity suites at scale.
Managed Migration for New Macs
Switching a user to a new Mac has always been a friction point — balancing data migration with maintaining enrollment and management settings. macOS 27 solves this with a new managed migration feature. IT administrators deploy a declarative configuration right after enrollment to control exactly what gets migrated: accounts, files, security settings. So no more taking back up of data and then setting up on new one, just a simple update and your new macbook is ready. Migration Assistant reports status through the declarative channel, so IT can monitor progress fleet-wide. The user simply clicks Continue. Clean, controlled, and trackable.
Granular Controls for Apple Intelligence and Siri
Following initial configurations added in the 26.4 releases, Apple is now giving IT administrators granular control over individual Apple Intelligence and Siri features. This matters for regulated industries — healthcare, finance, government — where AI-assisted workflows need to be scoped carefully. IT admins have the flexibility to allow or block Apple Intelligence features based on requirement.
Smarter Credential Management
Managing certificates and credentials across large configuration profiles has long been clunky. The declarative model's many-to-many relationship changes this: one credential asset can be referenced by multiple configurations. When a certificate needs renewal, the server updates a single asset and every configuration that uses it is updated automatically across the fleet. Less manual effort, fewer mistakes, and a much cleaner credential lifecycle.
Expanded Status Reporting — Including Device Health
Apple added a rich set of new declarative status items in iOS, iPadOS, and macOS 27, covering enrollment type, push tokens, Lockdown Mode status, Shared iPad state, and more. The headline addition is device system health monitoring. iOS and iPadOS 27 can now report on hardware component health — baseband, camera, Face ID, Touch ID — directly through the device management status channel. IT teams get a live, comprehensive view of hardware health across the entire fleet, so they can act before issues become outages.
Content Caching Gets Declarative Controls
Content Caching — which stores software updates, apps, and Apple Intelligence content locally to reduce bandwidth — can now be managed via declarative configurations on macOS 27. New status items let IT monitor the health of each caching server in the fleet. And caching servers can now push reports directly to any HTTPS endpoint, enabling richer integrations with existing monitoring dashboards.
Declarative App Configuration Comes to macOS
Declarative app configuration — which enables secure, credential-aware provisioning of managed apps including hardware-bound keys and Managed Device Attestation — was previously limited to iOS, iPadOS, and visionOS. It's now coming to macOS 27 Golden Gate. Enterprise apps can be provisioned and authenticated more securely than ever, with support for authenticating extensions with enterprise services. A meaningful step forward for macOS in enterprise environments.
Cleaner Package Removal on macOS
When a declarative package configuration is removed, macOS 27 can now automatically remove all files and directories that came with it. No more leftover data cluttering devices after software is decommissioned — which matters for storage hygiene, compliance, and keeping device baselines clean.
Consolidated Privacy Consent for Apps and Websites
Repeated privacy prompts — for camera, microphone, location — are a daily annoyance for many enterprise users and often lead to hasty dismissals that leave apps misconfigured. iOS, iPadOS, and macOS 27 introduce a new consolidated privacy consent prompt that surfaces all required permissions at once when an app is first launched or a website first opens in Safari. IT administrators provide a justification string, the Allow button is clearly highlighted as the default, and users get the full picture in one moment. Fewer interruptions, better outcomes.
Binary Execution Controls for macOS
Organisations with compliance requirements need control over exactly which software runs on their machines. macOS 27 introduces declarative binary execution controls, using the Endpoint Security framework to allow or deny binary execution based on code signing properties. You can also automatically allow any managed app without creating individual rules. Unauthorised processes are shut down.
This directly supports compliance with frameworks such as NIST SP 800-53 (SI-7 Software and Information Integrity) and ISO/IEC 27001:2022 (A.8.9 Configuration management). It is also commonly implemented to meet PCI DSS malware restrictions and Cyber Resilience Act (CRA) firmware integrity standards — making this feature particularly valuable for teams in healthcare, finance, defence, and government. Compliance teams will breathe easier.
Legacy Software Update Commands Removed
As announced last year, all legacy software update management commands have been fully removed across iOS, iPadOS, and macOS 27 — including update commands and queries, cadence settings, and restrictions like deferrals and Background Security Improvements. The replacement is declarative software update management, which gives IT teams more precise control over update enforcement while keeping end users informed throughout the process.
IT-Triggered Log Collection for AppleCare
When something goes wrong and AppleCare support is involved, collecting the right diagnostic logs has traditionally required user intervention. In iOS, iPadOS, tvOS, and macOS 27, IT administrators can now remotely trigger enhanced log collection on organisation-owned devices using the new TriggerEnhancedLogCollection command. Declarative status lets IT monitor the collection process. Support escalations just got a lot faster.
Identity Is Getting a Major Upgrade on macOS
Platform Single Sign-On on macOS has been evolving fast, and macOS 27 takes it further with two significant additions.
First, IT administrators can now require Touch ID as a second factor at login, screen unlock, and FileVault unlock — not just offer it as an option. It's the most secure and convenient way for users to authenticate, and making it mandatory closes a real gap in the security posture of enterprise Macs.
Second, macOS 27 introduces a web-based authentication option for Platform SSO. A secure web view renders directly in the login window, supporting any modern authentication flow — one-time codes, push notifications, QR codes for password-free sign-in, and more. The web view is tightly controlled by the OS, when QR scanning is used, the camera operates in a fully isolated system process. The webpage never receives camera feed data — only the decoded result. This opens up deep customisation for enterprises: localised sign-in pages, accessibility-optimised flows, conditional prompting, and seamless integration with existing identity infrastructure.
For shared environments like healthcare or retail, Authenticated Guest Mode now also works on FileVault-protected Macs — so a nurse moving between shared devices gets full disk encryption protection without any extra setup needed from IT.
Education: Shared iPad and Guided Browsing
Authenticated Guest Mode is also coming to Shared iPad. Users sign in with their Managed Apple Account to a temporary session — with full SSO support — and when they sign out, all local data is automatically removed. Storage is shared flexibly with the system rather than divided into hard per-user quotas, which means more usable space on each device.
The Classroom app gets a new guided browsing feature, letting teachers lock students to specific websites or even a single tab. Teachers can control navigation within and between sites, manage camera and microphone access, and apply settings to one student or the whole class at once. Students see the right content. Teachers stay in control. It's a simple, powerful addition that addresses a very real classroom management challenge.
"Each WWDC, Apple keeps closing the gap between what IT teams need and what the platform natively supports. These announcements — from hardware health reporting to binary execution controls to web-based SSO — are not incremental improvements. They reflect a maturing enterprise platform that respects both the user experience and the administrator's need for control. SureMDM is built to translate these platform capabilities into real workflows, so our customers can move fast when new OS versions land."
— Nikhil Badrinath, Product Manager, SureMDM iOS and macOS, 42Gears
What This Means for SureMDM Customers
Apple's direction is clear: declarative management is the foundation everything else is being built on. Every major feature announced at WWDC 2026 — health reporting, credential management, identity, binary controls — is designed around this model. SureMDM has been aligned with this architecture, which means the capabilities Apple is shipping translate directly into features our customers can use.
SureMDM supports declarative device management across iOS, iPadOS, and macOS — giving IT teams a single console to manage their entire Apple fleet, automate configuration, monitor device health, and enforce security policies at scale. Whether you're deploying a handful of iPhones or thousands of Mac computers, SureMDM is built to handle the complexity so your team doesn't have to.
The expanded status reporting in iOS and iPadOS 27 — including hardware health for components like Face ID, Touch ID, and the camera — means IT admins can see exactly what's happening with every device without waiting for a user to report a problem. The new managed migration support for Mac means IT-managed transitions to new hardware are finally as smooth as they should be. And the new privacy consent controls mean fewer support tickets from users confused by repeated permission prompts.
For macOS, the combination of declarative app configuration, binary execution controls, and the new Platform SSO capabilities represents a serious step toward macOS being a fully enterprise-ready platform — not a compromise, but a genuine first choice. SureMDM's macOS management capabilities are built to match that ambition.
