WWDC 2021 announcements for Mac admins…

This fall, Apple is going to release its newest OS: macOS 12, Monterey.

With that, there are some major improvements to Mac management that were not in Big Sur. Here are some highlights…

From What’s new in managing Apple devices

System Extensions removal

With Big Sur, there were some fairly complicated digital gymnastics you had to perform to script uninstalling system extensions.


With Monterey, things will supposedly be simpler, as removing the payload will also deactivate the system extension without prompting for a password.

The ability to use a “firmware” lock on Silicon Macs

Apple isn’t calling this a firmware lock, because the architecture of Silicon Macs is different from Intel Macs, but with Monterey, they are bringing something similar to a “firmware” lock.

You’ll be able to have your MDM lock lost/stolen Macs with a six-digit PIN:
This would take the place of what used to be the firmware lock code sent from an MDM.

Additionally, MDMs will also be able to set, update, and remove passwords to be able to boot into recovery mode.
This would take the place of what used to be a manually set firmware password (using firmwarepasswd).

Erase All Contents and Settings for macOS

For years, iPhones and iPads users have been able to get their phones and tablets back to factory settings by just launching up the Settings app, and then selecting to erase all contents and settings. And macOS users have had to boot into recovery mode, erase the disk, and then reinstall with a full installer; or use a USB installer to reinstall macOS.

With Monterey, users will be able to use System Preferences to erase all contents and settings to get back to macOS factory settings without a lot of fuss (and supposedly much more quickly).

Additionally, for Mac admins using an MDM, there is an option to restrict this setting, so users don’t erase their own macOS installations accidentally. (Obviously, you can temporarily remove that restriction if you do want a user to be able to do so.)

From Manage devices with Apple Configurator

Provisional DEP for Macs

For years, Apple device admins have been able to add random iPads to their organization’s DEP by using Apple Configurator to provisionally DEP-enroll in the organization’s MDM.

With iOS 15 and macOS Monterey, organizations can now add randomly purchased Macs to their organizations provisionally as well.


If a user removes the MDM enrollment within 30 days, the provisional DEP will go away. Otherwise, that Mac will stay in your organization’s DEP indefinitely.

From Manage software updates in your organization

With Monterey, supposedly the InstallASAP will not close users out of their apps with unsaved changes (unless you specify to force install).
and the InstallLater option is supposed to try to install between 2am and 4am at night.

This is what the notification will look like:

You will also be able to specify MaxUserDeferrals:

and users will see how many deferrals are left:

We’ll obviously have to see how smooth the implementation ends up being, but this looks promising.

Leave a comment

Your email address will not be published. Required fields are marked *