June 23, 2026 Stories worth reading. Perspectives worth sharing.
iOS 18 Beta 2: New Identity APIs, Passkey Enhancements & MDM Security Updates for Enterprise Fleets
Apple Identity

iOS 18 Beta 2: New Identity APIs, Passkey Enhancements & MDM Security Updates for Enterprise Fleets

Mo Wasay June 22, 2026 4 min read
iOS 18 Beta 2: New Identity APIs, Passkey Enhancements & MDM Security Updates for Enterprise Fleets

This week, Apple released iOS 18.0 Beta 2 (build 24A5370h) to developers, accompanied by detailed release notes and downloadable images (source). The update includes new and improved APIs for authentication, privacy, and device management—many targeting enterprise environments and app developers. This article details the most impactful changes, covers adjacent updates announced at WWDC24, and provides hands-on implementation guidance.

What Apple Just Shipped: iOS 18.0 Beta 2 (24A5370h)

  • AuthenticationServices: New Passkey API refinements for platform and cross-device authentication.
  • Managed Apple IDs: Expanded federation and SCIM support (with Entra ID/Okta/Google Workspace) now visible in Settings and Apple Business Manager.
  • MDM Protocol: Declarative Device Management payloads for app configuration, SSO, and sensitive data controls.
  • Privacy: Improved Private Email Relay logic for Sign in with Apple, stronger Hide My Email enforcement.
  • Secure Enclave: Enhanced attestation for Face ID/Touch ID, expanded LocalAuthentication framework options.
  • Digital Credentials: ISO 18013-5 driver’s license support now includes remote provisioning and revocation triggers.

What’s Coming: WWDC24 Announcements and Beta Previews

  • Universal Passkey Sync: iOS 18 (and macOS 15) will support passkey sync across Apple ID and Managed Apple ID, with iCloud Keychain improvements.
  • App SSO Extensions: New enterprise SSO extension APIs for federated login, including Kerberos and OIDC flows.
  • MDM Enforcement: Declarative restrictions for passkey creation, device attestation, and app notarization.
  • Verifiable Credentials: Wallet will support ISO-18013-5 digital IDs and verifiable credential sharing in enterprise scenarios.

Why This Is Better: Concrete Improvements Over Previous Releases

  • Passkey API: Prior to iOS 18, passkey sync was limited to personal Apple IDs. Managed Apple IDs (federated via ABM/Entra/Okta) now support passkey creation and sync, closing a major gap for enterprise authentication.
  • Federated Managed Apple IDs: SCIM provisioning improvements mean user/group lifecycle sync is faster and more reliable, reducing orphaned accounts and security risk.
  • MDM Declarative Profiles: Apple’s new declarative model allows admins to push granular restrictions—no more reliance on periodic polling.
  • LocalAuthentication Framework: Expanded Secure Enclave attestation improves anti-spoofing and biometric security, matching or exceeding Android/Windows Hello standards.

Who’s Affected

  • Enterprise IT teams managing Apple fleets (ABM/ASM, MDM, federated identity).
  • Developers integrating Sign in with Apple, Passkeys, or SSO extensions.
  • Security engineers responsible for device compliance, attestation, and identity hardening.

How to Implement or Respond

1. Update Passkey Integration in Your App (Swift Example)

Use the new ASAuthorizationPlatformPublicKeyCredentialProvider APIs for passkey registration and authentication, now supporting Managed Apple IDs:

import AuthenticationServices

let credentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: "your.rp.id")
let registrationRequest = credentialProvider.createCredentialRegistrationRequest(challenge: challengeData, userID: userData)

let authorizationController = ASAuthorizationController(authorizationRequests: [registrationRequest])
authorizationController.delegate = self
authorizationController.performRequests()

Check for passkey sync capability:

if ASAuthorizationPlatformPublicKeyCredentialProvider.isPasskeySyncSupported {
    // Enable cross-device authentication for Managed Apple IDs
}

2. Configure MDM Declarative Restrictions (mobileconfig Example)

To restrict passkey creation and enforce strong authentication on managed devices, use the new declarative payloads:



  PayloadType
  com.apple.declarative.device.management
  PayloadVersion
  1
  PayloadIdentifier
  com.enterprise.passkeyrestrictions
  Restrictions
  
    AllowPasskeyCreation
    
    RequireDeviceAttestation

3. Enable Managed Apple ID Federation and SCIM In ABM

  1. Sign in to Apple Business Manager.
  2. Navigate to Settings > Accounts > Federation.
  3. Link your Entra ID, Okta, or Google Workspace and enable SCIM.
  4. Verify user provisioning with Settings > Accounts > SCIM Logs.

4. Audit Device Attestation (Shell Example)

To verify Secure Enclave attestation on a managed device:

/usr/bin/security show-keychain-info
# or, for device compliance:
/usr/bin/profiles status -type declarative

What to Check

  • App: Passkey registration and authentication works via Managed Apple ID; check ASAuthorizationPlatformPublicKeyCredentialProvider.isPasskeySyncSupported.
  • Device: Declarative restriction payload is enforced; users cannot create passkeys unless permitted.
  • ABM: Federated users are provisioned via SCIM; no orphaned or unsynced accounts.
  • Security: Device attestation passes and shows Secure Enclave compliance.

Bottom Line

  • IT Admins: Update MDM profiles to leverage declarative restrictions and enforce attestation.
  • Developers: Update app authentication flows for new passkey/Managed Apple ID support and test with iOS 18 beta.
  • Security Teams: Audit SCIM provisioning and device attestation for compliance.
  • All: Prepare for universal passkey sync and enterprise SSO extension APIs before iOS 18 GA.