Managing Apple Intelligence on macOS and iOS with Workspace ONE UEM
Overview
During their keynote at this year’s Worldwide Developer Conference in June, Apple announced their push toward generative AI with a new feature called Apple Intelligence. Apple touts Apple Intelligence as “AI for the rest of us,” and is built into select devices running macOS Sequoia 15.1, iOS 18.1, and iPadOS 18.1.
The upcoming Apple Intelligence features fall into one of three categories: writing tools, image tools, and Siri. The writing tools will offer proofreading, rewriting, and summarization of text whenever you write. With the image tools, you can create your own original images, turn a rough sketch into a related image, and create custom Genmoji. For Siri, Apple Intelligence will provide richer language understanding, an awareness of personal context, and the ability to action in multiple apps.
To minimize privacy and security risks, Apple Intelligence executes requests through a three-tier processing system: on device, private cloud computing, and ChatGPT. Requests are processed locally on the device itself as much as possible, ensuring that data never leaves the control of the user. If more computing resources are required to fulfill the request, the request is forwarded to Apple’s Private Cloud Compute resources. According to Apple, data used to process the request is never retained once the processing is complete.
Thirdly, Apple has included optional integration with ChatGPT, specifically with Siri and the writing tools. End users can control when and if ChatGPT is invoked, and they must confirm that they want their information sent to the service.
As Apple Intelligence becomes available for customers, enterprises and IT admins might express concerns about allowing their end users to utilize these new features on corporate owned devices, especially if there are security concerns about sensitive and proprietary data being exposed.
Omnissa Workspace ONE UEM provides IT admins with the ability to restrict Apple Intelligence features on managed corporate owned devices. Using a combination of profile payloads and custom XML, IT admins can configure macOS and iOS devices with their preferred settings related to Apple Intelligence, including disabling specific features and skipping Setup Assistant panes during device initial setup.
NOTE: Support for the Apple Intelligence keys discussed are part of patch for Workspace ONE UEM, version 2406. The patch is being rolled out to all SaaS Workspace ONE tenants. If you do not see the settings discussed in this document, be patient. They should be available in your tenant shortly.
Purpose of This Tutorial
This tutorial will discuss the available options for managing Apple Intelligence on managed corporate owned devices within Workspace ONE UEM. It will provide a detailed overview of the profile payloads available for macOS and iOS, as well as discuss additional customizations that can be achieved using XML and the Custom Settings profile. The following topics are discussed:
- A brief discussion about macOS and iOS device profiles.
- A summary of the options available for managing Apple Intelligence
- A sample process for creating a profile to restrict Apple Intelligence features on devices.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.
Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, iOS, XML, and basic scripting is assumed.
Knowledge of additional technologies such as Omnissa Intelligence and Omnissa Workspace ONE® UEM is also helpful.
About macOS and iOS Profiles
Profiles are the primary mechanism for configuring Apple devices in Workspace ONE UEM. A profile represents the settings that help enforce corporate policies and procedures and contains one or more payloads which define actions to be taken on the device. These actions can include restricting certain features, applying specific configuration for things like VPN, managing security options like password policies and certificates, and many other options.
Device-level and User-level Profiles
With Workspace ONE UEM, profile management for Apple devices can occur on the device level or on the user level.
Device-level profiles apply restrictions and settings to any user logged-on to the device. Device profiles are typically used to control settings that apply system-wide such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.
In contrast, user-level profiles apply settings and restrictions to the specific user logged-on to the device. User profiles typically control settings that apply to the enrolled user such as email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.
Platform-specific Profiles
Profiles are created for individual platforms, which means you might have two profiles with the same configuration: one for macOS and one for iOS. Although the configuration might be the same, the profile for each platform might be applied to the device differently. Therefore, it is important to ensure that, when configuring Apple Intelligence profiles for your Apple devices, you create a separate profile for macOS and iOS.
Figure 1: Device profile platform selection in Workspace ONE UEM.
Profile Processing
It is important to understand the process Workspace ONE UEM uses to deploy profiles to devices. This process, which includes retry logic for failed deployments, follows three important steps.
- Once the profile is created and assigned, it is queued for installation. This means the profile is available for the next device check-in. It has not been deployed to the device at this time, and the device does not know that the profile exists.
- When the device checks in with the UEM Device Services, it is notified that a profile is available for deployment. The deployment status of the profile becomes “Pending.” If, for some reason, the device check-in fails, the profile will be queued for the next device check-in.
- The device deploys the profile. Once the deployment is complete, it will notify the server, and the profile status will change to “Processed.” If, for any reason, the deployment fails, the profile will be queued again for the next device check-in.
Declarative Device Management for iOS
Although this does not directly apply to managing Apple Intelligence, it is important to point out that there is one significant difference between macOS and iOS profiles in Workspace ONE UEM. When you select iOS as your platform, you will notice a new screen requesting the Management Type and Context for the profile you are creating. This new screen is part of Workspace ONE’s support for Apple’s Declarative Device Management (DDM), a shift in their MDM protocol toward desired state management.
Workspace ONE currently supports DDM for iOS only, with support for macOS coming soon. To configure the payloads for Apple Intelligence, you will select Imperative for the Management Type and Device for the Context.
Figure 2: Management Type selection for iOS in Workspace ONE UEM.
If you would like to learn more about Declarative Device Management, please read the below article on Tech Zone.
Apple Intelligence Profile Payloads
Workspace ONE UEM provides three options for managing Apple Intelligence on macOS and iOS devices. Two of the options control the end user’s ability to configure Apple Intelligence during device setup, and the other manages Apple Intelligence features on the device itself. The next sections will discuss each of these options.
Device Restrictions
Workspace ONE UEM provides option for restricting specific Apple Intelligence features on macOS and iOS devices. These options can be found in the Restrictions payload for both macOS and iOS. The restrictions give IT admins the ability to allow or disallow each feature. The following table explains options available:
Option | Description | Supported OS |
Allow Image Wand | The Image Wand transforms a user’s rough sketch into a related image. This option will allow or disallow the Image Wand on devices. | iOS 18.x |
Allow Personalized Handwriting Results | This feature converts the user’s handwritten notes into text. | iOS 18.x |
Allow Genmoji | Genmoji allows users to create a brand-new Genmoji from a provided description or images from their Photos library. This option will allow or disallow the Genmoji on devices. | iOS 18.x, macOS 15.x |
Allow Image Playground | Image Playground allows users to create original images based on a description, suggested concepts, or a person in their Photos library. This option will allow or disallow the Image Playground on devices. | iOS 18.x, macOS 15.x |
Allow Writing Tools | Writing Tools can proofread text, rewrite different versions of text, and summarize selected text. This option will allow or disallow the Writing Tools on devices. | iOS 18.x, macOS 15.x |
Mail Summary | Mail Summary automatically summarizes a complex email or an email thread. This option will allow or disallow Mail Summary on devices. | iOS 18.x, macOS 15.x |
NOTE: Apple plans to release additional features in the future beyond the initial ones listed above. As new features are released, this table will be updated to reflect new Restrictions and other profile options for managing Apple Intelligence.
Figure 3: Apple Intelligence Restrictions for iOS in Workspace ONE UEM.
Figure 4: Apple Intelligence Restrictions for macOS in Workspace ONE UEM.
Skip Setup Assistant
Setup Assistant on macOS and iOS devices launches automatically after a new installation of the operating system or when a newly purchased device is turned on for the first time. It walks the end user through the settings needed to start using their device. The options in the Setup Assistant include but are not limited to, configuring location services, setting up Touch ID or Face ID, signing into an iCloud account, setting Siri options, customizing privacy and security settings, and creating a user account.
New to macOS Sequoia 15 and iOS 18 is new panes within Setup Assistant for configuring Apple Intelligence options. Workspace ONE provides a new key within the Skip Setup Assistant payload for restricting the Apple Intelligence configuration on iOS during Setup Assistant.
Figure 5: Skip Setup Assistant option for Apple Intelligence in Workspace ONE UEM.
Device Enrollment Profile
A Device Enrollment Profile is created in Workspace ONE UEM and used by Apple Business Manager (ABM) or Apple School Manager (ASM) to configure authentication, MDM features, and the Setup Assistant on new devices at the time of enrollment. These devices must be registered in ABM or ASM and assigned to Workspace ONE. Apple’s Automated Enrollment Program pushes DEP to new registered devices during device activation.
For more information on configuring Apple’s Automated Device Enrollment, please see the following Tech Zone resource.
Like the Skip Setup Assistant payload discussed above, the Device Enrollment Profile includes options for configuring the Setup Assistant panes seen by the end user when initially setting up their new macOS or iOS device. Like above, IT admins can now restrict the Apple Intelligence panes in the Device Enrollment Profile.
Figure 6: Device Enrollment Policy in Workspace ONE UEM.
Creating a Device Profile to Restrict Apple Intelligence
The following process will demonstrate how to create a profile to restrict Apple Intelligence features on Apple devices. The process is relatively the same for macOS and iOS. Any deviations for a specific OS will be called out below.
When followed, this documented process creates a sample Device Restrictions profile that disallows certain Apple Intelligence features on your devices. When implementing your own profile, you may wish to deviate from this sample with your own preferred configurations or added additional restrictions.
NOTE: These instructions were created on version 24.6.3 of the Workspace ONE console. The steps may vary slightly with other console versions.
Create a Device Restrictions Profile
To get the desired result, perform the following steps:
- In the Workspace ONE UEM console, select Resources. Then, expand Profiles & Baselines, and click Profiles.
- On the Profiles List View, click the Add menu and select Add Profile.
- Select the platform for which you wish the profile. For this tutorial, you can select either macOS or iOS.
Figure 7: Device profile platform selection in Workspace ONE UEM.
NOTE: This is where the two platforms might diverge. If you select iOS, you will see an additional screen that asks you to select the Management Type and Context for the profile you are creating. This is part of Workspace ONE’s support for Declarative Device Management for iOS as discussed earlier in this document. For this exercise, you will select Imperative for the Management Type and Device for the Context. Then click Next. If you selected macOS as your preferred platform, you would select Device Profile on the Select Context screen.
- Provide a name for the profile. For this exercise, you will enter Apple Intelligence Restrictions.
- Scroll down the list of available payloads until you find Restrictions. Click Add.
- Click on the Intelligence tab. Deselect the button beside the following options:
- Allow Genmoji
- Allow writing tools
Figure 8: Apple Intelligence restrictions in Workspace ONE UEM.
- Click Next.
- Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Corporate macOS Devices (your@email.shown.here).
- Select Auto for the Assignment Type.
- Click Save and Publish.
- You should now see your Apple Intelligence Restrictions device profile within the list on the Profiles window.
XML for Custom Settings Payload
If your Workspace ONE UEM tenant is not on version 2406, you can still restrict Apple Intelligence on your corporate owned devices using a Custom Settings payload. The following XML can be pasted into a Custom Settings payload and assigned to your macOS or iOS devices.
<dict>
<key>allowGenmoji</key>
<false/>
<key>allowImagePlayground</key>
<false/>
<key>allowImageWand</key>
<false/>
<key>allowPersonalizedHandwritingResults</key>
<false/>
<key>allowWritingTools</key>
<false/>
<key>allowMailSummary</key>
<false/>
<key>PayloadDisplayName</key>
<string>Restrictions</string>
<key>PayloadDescription</key>
<string>Apple Intelligence Restrictions</string>
<key>PayloadOrganization</key>
<string></string>
<key>PayloadType</key>
<string>com.apple.applicationaccess</string>
<key>PayloadUUID</key>
<string>a9f1b84e-7795-4f47-bcfa-e6334668bce1</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>8141u59a-423c-4f76-a3c6-f785d46eb6db.Restrictions</string>
</dict>
Summary and Additional Resources
This operational tutorial provided details about Workspace ONE’s support for managing Apple Intelligence on macOS and iOS devices. It discussed the options available to IT admins to restricting Apple Intelligence features on devices, as well as managing the end user setup process with the Setup Assistant. This guide included an example process for creating a Device Restrictions profile specifically for managing Apple Intelligence.
NOTE: Support for the Apple Intelligence keys discussed are part of patch for Workspace ONE UEM, version 2406. The patch is being rolled out to all SaaS Workspace ONE tenants. If you do not see the settings discussed in this document, be patient. They should be available in your tenant shortly.
Additional Resources
For more information about managing macOS and iOS devices with Workspace ONE UEM, explore the following resources:
- Onboarding Options for macOS
- Configuring Basic macOS Management
- Troubleshooting macOS Management
- Managing iOS Updates
- Blocking Unwanted Apps on Managed iOS Devices
Changelog
The following updates were made to this guide:
Date | Description of Changes |
11/14/2024 |
|
About the Author
This tutorial was written by:
- Michael Bradley, Senior Technical Marketing Architect, Omnissa.
Considerable contributions were made by the following subject matter experts:
- Adam Henry, iOS Product Manager, Omnissa.
- Chris Morelock, macOS Product Manager, Omnissa.
Feedback
Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.