Feature Roundup: iOS, macOS, and tvOS – January 2026

Just-In-Time Admin Access for macOS

SureMDM now supports Just-In-Time (JIT) Admin, providing IT teams a secure way to enforce the principle of least access privilege on managed Macs. Instead of granting users the admin access manually via Jobs or scripts, which often increases the risk of misuse or compromise—admins can now leverage JIT admin for granting admin access.

Seamless Third-Party App Management for macOS

Managing third-party macOS applications is now easier than ever. SureMDM streamlines app deployment, updates, and removal without requiring IT to package or handle PKG or DMG files manually. This automated, frictionless workflow saves time and reduces the IT burden for App Management errors across large fleets.

Enhanced macOS Service Account for Advanced Device Control

The SureMDM Service Account for macOS is utilized for advanced user management functions, including enabling SecureToken access for users created through SureMDM, performing password resets, migrating from other MDMs, and overriding user-enabled FileVault.

RunScript Job Shortcut in the App Store

SureMDM now allows IT teams to push on-demand scripts to devices while giving flexibility to the end users to run them as required. Once deployed, scripts appear as shortcuts inside the SureMDM App Store on the device. This flexibility is ideal for workflows like troubleshooting, configuration updates, or optional feature enablement—without requiring admin intervention.

DDM-Powered macOS OS Updates

SureMDM now supports OS Updates using Apple’s Declarative Device Management (DDM) for macOS, enabling devices to autonomously download and install updates based on predefined schedules and conditions. This provides more reliable, low-latency update enforcement without requiring constant MDM polling.

Account-Driven User Enrollment for BYOD Macs

SureMDM now supports macOS Account-Driven User Enrollment, bringing a secure and privacy-first approach to BYOD scenarios. Users simply sign in with a Managed Apple ID, and Apple’s service discovery automatically routes the device to the SureMDM enrollment URL defined in a hosted JSON file. Work data stays managed and secure, while personal information remains private.

Alternate Service Discovery for Reliable Enrollment

SureMDM now supports for Account-Driven Enrollment on iOS and macOS. For customers who are not able to host their own service discovery server, this approach acts as a fallback mechanism for Account-Driven Enrollments.

SureMDM now supports Apple’s DNS Configuration payload, giving IT admins the ability to define per-device or per-network DNS settings. This ensures secure, policy-driven name resolution across all managed devices

Login Items Management

With the Login Items payload, SureMDM lets admins control which apps and background processes launch automatically at user login. This ensures essential tools are always available while preventing unauthorized or distracting applications from running.

Customizable macOS Login Window

SureMDM enables full customization of the macOS Login Window enabling admins to control display style, customizing allowed users in login screen, banners, and access permissions, providing a more secure and branded login experience.

Safari Extensions Management

Admins can now deploy, enforce, and manage Safari extensions across macOS and iOS using Declarative configurations via SureMDM. This ensures users always have the necessary security or productivity extensions active, reducing risk and maintaining consistent workflows.

Disk Management Controls

The Disk Management payload allows IT teams to configure mount policies for external and network storage on macOS devices via DDM. This provides tighter control over storage access and helps enforce security policies across the organization.

FileVault Enhancement

SureMDM can now override User-enabled FileVault, or FileVault enabled before MDM migration, allowing admins to take control of encrypted Macs and securely retrieve the Personal Recovery Key programmatically without any manual FileVault disable/enable actions.

Platform SSO

Platform SSO integration enables seamless single sign-on across macOS devices with corporate identity providers, reducing repeated login prompts and aligning desktop access with cloud-based identity.

Extensible SSO (Shared Device Mode)

SureMDM supports Microsoft Entra Shared Device Mode on iOS & iPadOS, allowing multiple SSO configurations for shared devices. The new interface and automated setup make sign-in/out secure and simple for shift-based or frontline workers.

FileVault Enhancement

SureMDM can now override User-enabled FileVault, or FileVault enabled before MDM migration, allowing admins to take control of encrypted Macs and securely retrieve the Personal Recovery Key programmatically without any manual FileVault disable/enable actions.

Platform SSO

Platform SSO integration enables seamless single sign-on across macOS devices with corporate identity providers, reducing repeated login prompts and aligning desktop access with cloud-based identity.

Text Message Job

SureMDM now supports sending messages to macOS devices with a Force Read option, requiring users to acknowledge messages before proceeding.

ADE Enhancements

SureMDM redesigned the ABM integration workflow with new capabilities, including FileVault enforcement, setup assistant controls, primary/admin account provisioning, app installation and minimum OS version enforcement during enrollment. These enhancements streamline device onboarding and improve security compliance.