Over the past year, we have significantly ramped up our release schedule for Apple-related Workspace ONE device management capabilities. From day-zero releases around new OS versions to big launches like declarative device management and Platform SSO, the game has changed for thousands of customers who manage iOS, iPadOS, and macOS devices with Omnissa Workspace ONE UEM. And we’re keeping that furious pace going. With the release of our latest version of Workspace ONE UEM, Omnissa has launched several new features for Apple devices focused on strengthening security. 

Managed Device Attestation 

Apple’s Managed Device Attestation derives information from the Secure Enclave and from dedicated Apple servers to provide proof that a device can be trusted. With this information, organizations can better avoid hacks when devices are compromised, particularly spoofed devices. 

Workspace ONE + Managed Device Attestation 

Workspace ONE now supports Managed Device Attestation for iOS/iPadOS and MacOS devices. The option can be turned on in Apple Settings in the UEM console, and the device attestation status is visible through the Device Details screen and is also available through Omnissa Intelligence and UEM REST API. 

There are currently two methods to support Managed Device Attestation on Apple devices. Workspace ONE currently supports using Enhanced MDM DeviceInformation query and attestation certificates. Support using Automated Certificate Management Environment (ACME) certificates is coming soon.  

What happens if attestation fails? 

Device attestation can be configured to affect the Device Compromised status. If the device attestation fails, the device is marked as compromised and is subject to the actions that have been set by the administrator within the UEM compliance policies. These actions can range from enforcing certain access restrictions to denying access altogether or, in extreme cases where the device has been reported lost or stolen, it can even be remotely wiped.  

Managed Device Attestation, one of the many features that make Apple devices inherently secure, soon becomes a critical part of the Workspace ONE compliance policy engine.  This is one more way Workspace ONE helps to protect from malicious actors and breaches that can cost organizations both money and reputation.

NOTE: Managed Device Attestation is currently in limited availability and is planned for general availability in an upcoming 2506 patch. If you’re interested in early access, please contact your account team.

Return to Service 

Workspace ONE now supports Apple MDM’s Return to Service (RTS) for iOS/iPadOS and tvOS devices–a powerful new capability that simplifies the process of resetting and re-provisioning iOS devices, particularly in shared or loaner device environments. 

RTS enables organizations to securely erase all user data from a managed iOS or iPadOS device and automatically return it to a ready-to-use state, all without requiring IT administrators to physically handle the device. This is especially valuable in industries like healthcare, where patient tablets or nurse devices are frequently reused, and in retail, where shift-based workers share devices at different times of the day. Any scenario that involves handing off a device between users while ensuring that no personal data is left behind, can benefit from RTS. 

When initiating a device wipe in the Workspace ONE console, IT admins now have the option to enable Return to Service via a simple checkbox. Once selected, they are prompted to choose a Wi-Fi profile. The device is then wiped of all user data, automatically re-enrolled into UEM, and returned to the Home Screen, ready for the next user. 

By leveraging RTS, organizations can now automate device turnover securely, efficiently, and at scale–enhancing operational agility while maintaining user privacy and compliance. 

Releasing devices from Apple Business Manager using Workspace ONE UEM 

Managing the lifecycle of corporate devices is a critical part of any enterprise mobility strategy. Whether an iPhone is lost, a MacBook is damaged, or an organization wants to donate a used device to charity, IT teams need a reliable way to decommission and release these devices from Apple Business Manager (ABM) or Apple School Manager (ASM).  

This process ensures the devices are no longer tied to the organization’s Apple deployment and can be repurposed, resold, or recycled securely. And with Workspace ONE UEM, it’s now more streamlined than ever. Admins can release their iOS/iPadOS and MacOS devices from ABM or ASM using familiar actions like Enterprise Wipe, Device Wipe, and Delete Device. These actions not only remove the device from management but also trigger its release from Apple’s automated device enrollment program, eliminating the need to manually log into ABM or ASM to complete the process. 

Apple capabilities with a focus on security 

You may notice that all three of these capabilities place a heavy focus on security. As Apple devices continue to take market share from their competitors in business, hackers take notice.  And Omnissa continues to deliver Workspace ONE capabilities that help upgrade the security posture of our customers’ Apple device fleets. 

Additional resources 

Review Apple’s informative web page for more information on Managed Device Attestation. 

Review Apple’s web page about Return to Service.