Get ready for iOS12

Webinar transcript - View the full webinar


Russell Mohr:  Hi. I'm Russell Mohr, from MobileIron. I'm a sales engineer, working with our channel and carrier partners and our commercial team. Joining me today is Kevin Hsu. He is our product director for all things Apple at MobileIron. Today, we'd like to talk to you about iOS 12, which came out on Monday of this week, went GA.

We want to tell you about some of the features that we think will pack the most punch out of Apple's latest release, the most relevant to enterprise. At the same time, we also want to give you a quick tour of Apple Business Manager. Apple Business Manager went GA shortly after the release of iOS 11.3.

We're going to start off just by talking about iOS 11.3 for a minute because there's been an evolution of some features that were released at that point. There's been an evolution in iOS 12 that's pretty irrelevant to some of those features. To start off, let's talk about iOS 11.3.

First things first, Apple released a long‑anticipated feature by many of our customers and partners, deferred updates. This is the ability to defer an iOS update on a device that is institutionally owned.

A supervised device has been enrolled either using Apple Configurator or device enrollment from the company Device Enrollment Program or DEP. Once you have a device that's supervised, you can actually delay an update from anywhere from 1 and 90 days.

The other thing that we're going to talk about...Actually, why don't I show you deferred updates very quickly? I'll show you how this works on MobileIron Cloud. This is our latest version of MobileIron Cloud. I'm going to choose add and a configuration. Just to make my life easier, I like to filter down on iOS. If I look at iOS restrictions, this is where we configure the deferred update. This is where I configure it anywhere from 1 to 90 days. That's how we do a deferred update.

There's another feature that came out in iOS 11.3, also very interesting for our customers where you can actually specify what version iOS will update to. Let's imagine that 12.0.1 came out already. I choose iOS.

Over here is where I would say, "I want to update to version 12.0.1." Then I can even schedule, so I'll do a two‑hour window between 10:00 and noon. I'll do that in the Pacific time zone. That's how we do, for supervised devices, updating to a specific version for iOS. Both of those features became available in iOS 11.3 which came out last spring.

The other big news in iOS 11.3 is that contacts became managed. That meant that if you deployed corporate contacts using an exchange configuration, using an LDAP configuration, or through an app like Outlook. Those contacts became managed and you couldn't share those contacts to unmanaged apps on a device, like WhatsApp, like LinkedIn, like Skype.

You couldn't share those unless you opened up a blanket rule for the iOS device to share data between managed apps and unmanaged apps. A lot of customers didn't want to have that rule just to share the contacts. A lot of them were using contacts to reach out to their business partners, and customers and things like that.

It did cost some consternation with some of our customers that they needed to open up all managed app data to unmanaged apps if they wanted to populate contacts into apps like WhatsApp.

What is in iOS 12? I'd like to turn it over to Kevin to bring you through what some of the major [inaudible 4:24] Enterprise in iOS 12.

Kevin Hsu:  Great. Thanks a lot. Hello everyone. This is Kevin Hsu, Senior Director of Product Management. What I'm going to be covering today is really some of the highlights of a new feature release in iOS 12 for MDM. With these features solutions like [inaudible 4:47] , we'll be able to leverage using these new MDM features to control and secure devices.

Tied to what Russ was mentioning earlier, that sharing managed contacts with unmanaged apps, the different in our new feature app we added in iOS 12, with these two features on the sheet here. What does that mean? Let's give you a little bit of background.

As you know, Apple always allowed open from managed to unmanaged MDM, allow to share information from managed applications to unmanaged applications, and vice versa. This is all good, and we've been supporting that. I think a lot of customers are using that.

However, in iOS 11.3, this restriction was actually extended to further not only just covering the files or documents, but actually it was preventing managed apps from writing to the contact app of the managed contacts, or unmanaged applications to read from the contacts of those managed contacts.

The example would be contacts from MDM managed exchange account would no longer be visible to unmanaged VoIP like Whatsapp. That's going to be causing some issues starting from 11.3. In iOS 12, Apple added the two new restrictions to control those sharing of the contact information in addition to managing the docs and files.

With these two restrictions enabled...Of course, as long as you have the allow open from managed to unmanaged enabled, click on this to enable this, then your managed contacts will be able to share with the contacts apps to unmanaged. That is an important improvement. It actually stops the problems that's caused by 11.3 yet enhances security and provide more control for them.

Next one I want to talk about is OAuth 2.0. iOS 12.0, OAuth 2.0 was added to be deployed by MDM managed profile. For companies that like to take advantage of using more secure authentication between the native email app and exchange server.

This feature allows admin to configure the Microsoft exchange account to turn on OAuth 2.0 for whatever iOS devices in the device groups, [inaudible 7:58] , or all of iOS devices via MDM control.

This [inaudible 8:07] isn't really the first time Apple introduce OR to the iOS devices. In iOS 11, OAuth 2.0 for Microsoft exchange account was introduced and it became available, but the only thing was that it was a user‑driven feature.

Enterprise [inaudible 8:27] their Office 365 off iOS 11, but with this version they actually extend it to via the MDM capability so that admins can systemically control the devices by enabling OR if that's [inaudible 8:50] by the corporate security governance.

Russell:  That's a very good point, Kevin. One thing is the behavior introduced in iOS 11, the user‑initiated OAuth 2, that hasn't gone away. That's still here. If you're on a unmanaged device, for example, isn't enrolled in MobileIron and you open up the email app and authenticate Office 365, and you've got certificate based access or OAuth set up, you could still use this feature.

What we've seen is a lot of our customers don't want unmanaged devices to do that. One way to control that is actually through the MobileIron access product. We have some great blog posts on this on the MobileIron website. I encourage you to take a look at how we can help control that behavior introduced in iOS 11.

Kevin:  Right, cool. OK, thanks. Next one I want to talk about is the new restrictions that have been introduced. If you know that in every release of iOS, mainly the iOS .0 release and iOS .3 release, Apple usually adds more restrictions to the devices.

This is to either disallow some of the functions to be [inaudible 10:14] control by MDM servers. In this case, sometimes Apple adds more restrictions for supervised devices, which is typically corporate owned all so that the EMM can provide more controls over those devices.

No different here. Apple added a few more restrictions in iOS 12. Let's take a quick look at what they are. The first one is allow autofill passwords. When this restriction is turned on, autofill password feature will be completely disabled on a device.

A user won't be prompted for option to tick save password to use in a password field in Safari, for example, and/or other apps. This is really for the admin to control what kind of ability would they allow using autofill. They would require them to type in [inaudible 11:16] .

The second one, restriction, is allow nearby device to share request for password. Of course, that's also an area the security control. When this restriction is turned on, the device won't advertise themselves to nearby device for passwords using proximity autoshare. That is another feature Apple introduced. This is the restriction to add on to disallow that if again that's the security policy.

The next one actually is the new iOS 12 feature. That feature is basically allow password sharing using AirDrop capability. That's very powerful. It's a new thing in iOS 12. It's a very powerful feature, but then of course, it opens up security vulnerability.

When this restriction is turned on, user won't be able to share password using AirDrop password feature with other devices. It just won't send over AirDrop. Passwords cannot be shared. This is a new restriction added along with the new feature in this release.

The last one is to force automatic time and date setting on the device. The default is false. Anybody can change time setting to whatever different zones or not automatic, or you can manually type in. Use case for this one is I had one customer who has the setup of using one iPad in front of each conference room so that people can use the app on iPad to schedule a meeting or conference room, so on and so forth.

In that particular case, they don't want any user to change time zone. Not only time zone, but the time on the device so it will mess up the whole schedule. In that particular case, they want to force it to automatically always update the time on the Mac without anybody changing it. These are the four restrictions added to iOS 12 and if you note, these are also supervised devices.

Next one is enhanced [inaudible 13:38] . Actually, Apple introduced this one about a year ago to allow EMM servers to use MDM to control the S/MIME configuration set‑up on a device. Since there was some issues related to allowing user or not, they updated the protocol and we got this intense version of S/MIME.

First of all, background, S/MIME is Internet Standard RFC 5751 for secure sending and receiving emails by encrypting the content. Now of course, more and more corporations are choosing to secure their emails for security purposes.

This particular feature allows the admins to configure these three fields. First of all is to enable or disable S/MIME's finding and encryption. That's what S/MIME is all about, finding email and encrypted email content. Of course, you can select enable or disable on the console in my core in my cloud.

Then of course, because it's encryption and finding these certificates, so we allow the admins to distribute the encryption certificate and planning certificate via our existing certificate management system for creating them to for distributing them to other devices belonging to a label or device group or whatever they are, multiple groups.

Part of the management system to do managed certificates like renewing them, so on and so forth. Then a third option is to enable the admin to select whether they want user to be able to override or change S/MIME settings. Some customers, they do want to enable with the S/MIME, but if the user choose to turn it on and turn off, they allow that. That's the first setting of that.

That's to be a feature introduced in other [inaudible 15:50] , introduced in iOS 12. It's going to help quite a bit with the Exchange active and mail servers to enable the security of the emails. Next one, we want to talk about device enrollment enhancement.

Again in every iOS release, Apple adds more of these skipped options to streamline the user experience, to include the user experience. What are they? For those of you who actively use MobileIron Core in cloud to manage the DEP profiles for DEP device enrollment, you're familiar with the DEP profiles that were supported in my core cloud.

In the DEP profile, there's a long list of options that you can choose to skip during the power‑up and set‑up process of iOS devices. As Apple is adding more and more features to their device, the view and set‑up time, it's going to ask you a lot of questions, such as, "Do you want this? Do you want that? How do you want to enable this including [inaudible 17:15] and locations," things like that.

For many devices, they are designated for specific use case, whether for example, in the lobby for registration or in the showroom display room for in a car dealership. They are dedicated for those specific use, therefore many of those options or features are not relevant.

Therefore, in the DEP profile, they can't be suppressed during the set‑up time. So is the list here in iOS 12. They added a few more things such as iMetrics and FaceTime setting, Screen Time setting.

Screen Time has been a new thing added, allow parents to monitor kids or whatever [laughs] young kids to spend time on a device. You can set that up. Again, if it's not relevant, then you can suppress the setting of that. Same as with the software updates.

As usual, we'll be adding these things into the DEP profile and along with all the other skip functions and skip options one can choose which ones to skip during the set‑up time.

Russell:  Kevin, I should mention that we're starting to see that Apple is changing some of their terminology with iOS 12. DEP, or Device Enrollment Program is what we've been calling it, but apparently, it's going to be called Device Enrollment now.

Couple of other name changes, iBooks has become Apple Books with iOS 12. We're also seeing some changes in terminology around what we've been calling Volume Purchase Program or VPP. If you look on Apple Business Manager, which we'll talk about in a little bit, you'll see that it's referred to as Apps and Books and even saying Content and Books, Kevin.

There is some new terminology out there. DEP is going to be the old name for managing a device institutionally.

Kevin:  Exactly. Thanks, Russ. I believe you have a trial later on to briefly talk about Apple Business Manager. Just a little bit background, Apple actually officially launched Apple Business Manager this summer, I think was either July, August.

They were in beta for a while, and they officially launched Apple Business Manager. What that is is an improved user service portal that combining the DEP portal and a VPP portal. DEP is the old Device Enrollment Program, and the VPP is to provide the Volume Purchase Program.

They're combining these together and to put it under Apple Business Manager, so that it's there to improve the usability and workflow having a single, common service portal for enterprises. As part of it, they changed the name a bit. There's isn't any DEP anymore, but they still call it Device Enrollment.

For VPP, Volume Purchase Program, now it's under content and apps management. I believe we're going to have some webinars on that particular topic and some best practice by our professional services to talk about how to migrate, how to get your VPP tokens into Apple Business Managers, but look out for some announcements of those webinars.

Russell:  That will be on October 30th at 10:00 AM PST, so watch out for that announcement. More coming soon.

Kevin:  Fantastic. Moving on here, iOS notifications. Here are a couple of very interesting ones. In iOS 12, Apple actually introduced this new type of opt in notification called a critical alert. These alerts are limited to scope.

It's not generically available for everybody. Limited scope and are available only for things like a medical and health‑related information, home security, public safety, and so on and so forth. They need to be truly critical alerts.

Apple will need to approve these critical alerts before they can be classified and used. Any app developer, they'll have to get approval before they can actually send critical alerts to the apps. The first notification is to allow people to enable the critical alerts on the devices.

Let's say if you, again, for example, if this device is used for showroom or lobby for logging in, then maybe the critical alerts are not applicable to those devices, so you want to suppress it. For other devices, you may want to enable it. Depending on the use case, that is one thing about critical alerts. You want to enable or disable it.

The second one that's related is to enable the information to be shown on car display, CarPlay. The use case could be that you've got multiple people sitting in the car and you have the iPhone hooked up with a CarPlay showing on the car display.

The critical information could include some sensitive information from the company that's delivering critical information, whatever. You may not want that to be publicly available on your car display for the passengers, whoever that's in the car, so you can suppress that. Admins can actually disable, disallow the showing in CarPlay for the critical alerts.

Russell:  If you watched Apple's keynote event on this, Kevin, a lot of time was spent on the Apple Watch 4, which got bigger. Also, where they concentrated a lot on was some of the healthcare aspects of the watch and doing things like EKG, electrocardiogram, on the watch. That watch, of course, pairs to a healthcare app on the iOS device.

That healthcare app can probably do a critical alert. The developers requested that accessibility from Apple.

Russell:  Correct.

Kevin:  Lots of interesting things happening here around healthcare with Apple.

Russell:  Cool. Moving on, here's a note here to bring to your attention. Some of the [inaudible 24:38] are no longer trusting. As of August 1st of this year, Apple actually has partially distrusted Symantec certificate authorities.

Then later on, they said sometime in the fall, they will completely distrust Symantec CAs, sometime in fall. They didn't give exact date, but given this as a warning, you may want to start moving in CAs and transitioning them from Symantec to an Apple‑trusted certificate authority.

Some of the systems you'll see if you continue to use untrusted CAs, now including Symantec, would be the iOS or macOS devices can no longer access some SSL resources or services affected using SSL certs issued by these Symantec CAs.

When that happens, you'll see errors like "Unsafe connection, could not connect to the server. The server connection is rejected because an unsafe SSL certificate is detected," and things like that. Just a note here that Apple made that announcement.

The other untrusted CA is the federal common policy group CA. That's removed from iOS‑trust app store as well. Wanted to put that note here for those of you who might be employing these certificate authorities as trusted CAs, you may want to transition to other CAs that's trusted by Apple.

Russell:  Another comment, sir, Symantec acquired Thawte, T‑H‑A‑W‑T‑E, in 2010. I believe those certs will be distrusted also.

Kevin:  Very good point. I know the topic in the webinar is all about focusing on iOS 12, but I have here one chart about macOS 10.14 Mojave as well since the MBM is released at the same time and both new releases at the same time.

This one is important, so I put this one up here. What that is, is that on the Mac, you can open the preference, and you can go to the security and privacy section. You are able to configure what application that you allow to purchase these critical or sensitive system files, personal information and system resources.

For example, address book, calendars. These are very personal and contains private information like reminders. It has a lot of sensitive and private, secured information there. You may or may not want some of the apps to have access to them.

Other resources such as camera, microphone, you don't want to have some other apps that might be accessing them without knowing that. With macOS Mojave, Apple has added the MDM capability allowing EMM consoles to control these resource control policies by using MDM servers.

Just like you're able to control the restrictions on iOS device, now on a Mac, you can control these system resources and access to these critical files by using the MDM control.

Not only this particular feature is important, but I also put up this chart to give you a quick reminder of MobileIron's macOS management capability. MobileIron has come a long way. In the last 12 months, we've introduced a lot of the capabilities of managing macOS on both MobileIron Core and MobileIron Cloud.

The concept is to expand our reach, management, and secure functionality for iOS and [inaudible 29:08] devices to the Mac. For those customers who attended the MobileIron Live!, whether it's in Europe or US, some of you came to my session talking about macOS. You may saw that.

For the [inaudible 29:26] customers, this is just quick introduction that a mobile has actually extended and introduced the full macOS management functionality on iCore and iCloud basically replicating the management and securing functionality of the current available these platforms for EMM to extension managing macOS.

For those of you who are interested and would like to take a look at solutions to include the macOS and the management, I would highly recommend you to take a look at the embedded functionality. Whether you're using MobileIron Core, MobileIron Cloud, those functionality are already existing in the platforms that you're using.

We're continuing to introduce more releases covering Mac in the new releases. For example, from Q4 releases of iCore and iCloud, you'll see more features coming out in these platforms to manage macOS's.

I just want to have one chart here talking about this important feature coming out in macOS 10.14, as well as have a quick highlight of mobile's capability of managing macOS. If you have interest and questions related to specific macOS, feel free to reach out to our sales team, our customer support. Reach out to Russ and myself, and we'll be more than happy to go over the full set of capability of Mac management.

With that, that concludes my focus on the MDM based features for introducing iOS 12. With that, I'm going to turn it over to Russ to talk about some other areas of highlights.

Russell:  Thanks, Kevin. A lot of exciting new features in iOS 12. A lot of them you'll see from the moment you update. When you update to iOS 12 or if you have a new device, like the iPhone XS or XS Max or XR, you'll see that when you set up the device, there'll be new instructions on screen time.

Screen time is a new feature that allows you to limit the amount of time that you spend on social media apps, for example. Could be any app. It also gives parents control over the amount of time that their children spend on these type of app. You can limit yourself to half an hour a day on Instagram and Facebook, for example, if you wanted to.

Great new feature. Lots of new emojis. We see the evolution of animojis continue. ARKit 2 is now shipping. You'll see a new app on your device. I think it's The measure app. Really leveraging the powers of the chipset in there, which we'll talk about in a minute.

That also enables a faster camera, so better camera on the dual cameras on the new devices, and group FaceTime. You can add to a FaceTime now. This is available at launch, but it should be coming around October. Up to 32 video sessions on FaceTime. That's really also powered by the new A12 bionic chipset.

I mentioned already, iBooks becomes Apple Books. Siri password search, yes. Also, Siri shortcuts become really powerful. You can set up workflows based on many tasks that you want to do and chain them together using Siri shortcuts.

One other one that I think that will be pretty interesting to our customers is the introduction of the eSIM dual SIMS. The dual SIM is available on the XS and XS Max. Basically, it allows you to have a second phone number on your device.

You can have a lot of other phone numbers set up for that eSIM, but only one of them could be active. You'll have your regular old SIM and you'll have the eSIM. Also, only one of those numbers can be used for the iMessage application. You can't have both of them using iMessage.

The other interesting thing is that not every carrier is supporting the eSIM. This is from Apple's website actually. The countries and carriers that support eSIM today, which has actually been available on the iPad for a couple of years now. In the US, you'll see that all for the major carriers. Sprint will have it soon.

You'll see out of these countries here, one of them that's missing is China. Apple is actually committed to making an iPhone, the S series, that actually has two physical SIM slots in it for the China market.

You'll see different variant of iPhone in China because it doesn't look like the...Chinese carriage are going to be supporting the eSIM standard any time soon. Kevin, I think you had some insights about where this is all going.

Kevin:  I just want to mention one thing. Some of our customers I'm sure will be [inaudible 35:08] multiple SIMs, especially using eSIM for multiple numbers. Use case could be one number for US, one number for say Japan, Asia, another one in Europe.

When a guy is a world traveler, when he lands to a country he turn off that particular number on eSIM as active number. How do we track that? What do we get information?

Apple, two days ago, just released a new revision with a new additional item to the device details. That item is going to give us all the information that are sent for multiple SIMs that's available on the phone.

Let's say a person has a phone eSIM programmed with three numbers and with another SIM card for example, we will be able to get all those device details via the device detail MDM command. We will be able to display the multiple numbers programmed with eSIM, which one is active, which one is the SIM card.

This is all in the device detail which is great, but then it goes further. There will be few items of eSIMs that would be able to support using advanced search so that you can apply whatever you want it to apply to. Whether it's a configuration. Whether it's policy. Whether it's [inaudible 36:39] compliance.

Say for example you want to do [inaudible 36:43] search on phones that's in United States, we can do that [inaudible 36:50] search based on the active SIM country and then apply US security policies to it.

Let's say a person jumps on a plane and he lands in Japan and activates one of the eSIM phones that's local to Japan, when the device checks in, this active [inaudible 37:17] search will be able to pick that up as this is a Japan phone. Then it'll be assigned with a label that's driving another set of secure [inaudible 37:27] to it.

That will be very powerful capability incorporated into core cloud using this new command that's associated with supporting multiple SIM.

Russell:  Of course, we're just learning about the new capability. This is how we're thinking of using them in the future. More to come on that.

I just want to talk about the new chip. Apple has updated the A11 to the A12 chip. They've shrunk it down to 7nm from 10nm, which I think is an industry first. Some other players will be coming out with this, but it's pretty incredible.

We've gone up to 6.9 billion transistors on one of these chips, an order of magnitude greater than what we used to have. We've gone from the billions to five trillion operations per second on this chip. I was listening to a podcast from Benedict Devin's on E16 SIM. What they said was one of these chips has more power than all of the Pentium computers that were used to make the "Toy Story" movie.

Really incredible what we're doing on a chip on a single six‑inch device. Pretty amazing what's happening out there. These will be on all of the X series. The XR, the XS and the XS Max.

Of course, lower power consumption also and that small form factor, better graphics performance, better neural networks performance for things like ARKit and ML. Really quite an amazing piece of hardware that we're going to have in these devices.

I just want to shift over for a moment. Because Apple Business Manager came out some time between 12 and [inaudible 39:26] prerelease, I want to show you what it looked like. First and foremost, Apple Business Manager, it's not an EMM. It's a management platform. I'm going to log into it right now and just show you a couple of things that have happened.

If you happen to use the DEP portal at, every time you log in these days, it will prompt you to upgrade to Apple Business Manager. We're seeing a lot of customers do this. It's been a very smooth transition for our customers.

Let me show you what some of the new capabilities are. First of all, we've got really detailed role‑based access control. I can define what the different roles are. I might have just one user that can buy apps and manage apps, for instance. Really granular. These are the prepopulated roles that they've created.

We've also got the concept of locations. Not only does the Apple Business Manager allow you to do all the functionality of the Device Enrollment Program ‑‑ now called Device Enrollment ‑‑ but also you can create your own locations. Those locations will be associated with an S token or VPP token that you will find in Apps and Books over here.

If I created a new location, it might be for a line that did business instead of an actual physical location. Let's say marketing buys their own apps and only deploys them to marketing. They have their own PNL. That gets a lot easier to do with Apple Business Manager.

Another thing that you can do ‑‑ I'm just going to click on Apps and Books over here ‑‑ is I can distribute apps between different locations. If I've bought an app and I want to distribute it...Maybe I'll find MobileIron Go over here. Do one drive. I can actually distribute these licenses between different locations in my organization.

It's very easy to purchase free apps or paid apps over here. Another great thing is you can actually, with a PO, purchase apps now. You no longer need to just use a credit card. You can go to go to an accredited reseller. If I go into Settings, and Apps and Books, you'll see that this is available over here. It's called Store Credit.

Also, here are all my S tokens for all of my different VPP locations. All of my different locations. I can easily just download an S token and upload it to MobileIron Core and Cloud and the two will sync. All the licenses will sync over to Core or Cloud.

The other thing I want to show you that's really interesting about Apple Business Manager is if I look at the MDM server, there's a new capability on here where I can choose a server. If I choose Edit over here, I can decide that this server is now the default server for all macOS devices. This MDM server, if it's a Mac and enrolls in my organization, it will enroll with this MDM server.

Or I could say, "This is the one that has all the iPhones and iPads. Of course, as you can see, I've got lots of different MDM servers set up.

You can do as many as you want over here. Really, really great new feature. The other thing is, when you add users here...You can add users by adding accounts over here. I just won't see this. They become managed Apple IDs.

They're not managed Apple IDs in the way that you might go to iTunes and purchase apps, but they are managed by your organization. When Apple releases an update to their terms and services like they do whenever there's a major iOS update, in the past DEP admins, device enrollment admins, have had to log on to and accept the terms of service.

Really there was only one user who could accept those terms of service. It was the user agent. The first person who set up DEP had to accept them. Now with these managed Apple IDs, other admins in the organization can accept those terms and services.

It's very important to accept them because DEP will actually stop syncing until you accept the new terms of services. We have some great features in our product to warn you when you need to do that. You no longer have to scramble to find the right account to log in.

Any of the managed Apple IDs that have access to Apple Business Manager can now perform that task. That's Apple Business Manager. I just wanted to give you a quick tour of it. I want to leave you here with some further guidance.

Apple has guidance on iOS 12 and how it should work in your organization and MobileIron also has the same thing. I can click on MobileIron Guidance on iOS 12. This is our community website. It is really a great place to go for information.

If I wanted to know more about Apple Business Manager, I could search for that in here. All partners and customers should have access to this portal at Here's lots of information about Apple Business Manager.

One thing that you should know is if you are managing a lot of VPP tokens with Apple Business Manager, it's really good to plan out how you're going to do your migration of those. That's tokens. We've got a how‑to article that shows you step‑by‑step how you upgrade from the legacy portal to the new portal.

Also gives a lot of the guidance on how you should handle tokens and also links to what Apple is saying about how to consolidate all of your tokens under the new Apple Business Manager umbrella. Community is a really great place and then just one last thing to show you over here.

We showed you deferred updates. If you want to know more about those, just search for iOS deferred updates. Plenty of information on that. Step‑by‑step on how to configure it. Then finally, if you haven't used device enrollment yet and you want to start using it, we've got the DEP Center of Excellence.

We'll need to rename this soon to include DEP and ABM, Apple Business Manager Center of Excellence. This shows you how to get started, lots of technical guides and videos on how you can get started using the device enrollment program.

The last thing I have to say is we are iOS 12 ready at launch. As a matter of fact, we've been testing since the first beta came out. As a matter of fact, the first beta for iOS 12.1 came out this week. If you're running one of the MobileIron cloud, you're ready iOS 12.

If you're running one of these core versions, it's ready for iOS 12. We're really excited about this release. I think that there's a lot in here for all of our customers and partners.

Kevin, do you have anything to add?

Kevin:  No, I think we're good.

Russell:  Excellent. We'd like to thank you for joining us today. Please do tune in on October 30th at 10:00 AM PST when we'll do a deeper dive on Apple Business Manager and how we do management of apps and books or VPPS tokens.

Please do join us then. It will be Professional Services that will be running that. They have a lot of experience with migrations. Thanks again for joining us.