Workspace ONE UEM 2604: Apple management gets a major upgrade

The investment that Omnissa has made in enhancing Apple management is bearing fruit in every release now, but the latest release of Workspace ONE UEM (v2604) greatly accelerates declarative device management (DDM) adoption, streamlines app lifecycle management across macOS and iOS, adds enrollment improvements that mixed-device fleet admins have been asking for, and keeps pace with Apple OS releases. Let's get into what's new.

Declarative device management: Accelerating the modern approach

Apple's DDM framework represents a fundamental rethink of how management works. Devices evaluate their own state, apply settings, and report back to UEM proactively, without recurring polling. We're accelerating this approach with two significant additions in 2604.

DDM macOS assets: User identity

As organizations scale their macOS environments, maintaining consistent user context across declarative configurations becomes increasingly complex. Admins often find themselves duplicating identity information across policies, which creates maintenance overhead and introduces the risk of inconsistency as users or configurations change.

The DDM user identity asset solves this by allowing IT teams to define a single, reusable user identity asset containing user context like full name and email address, and reference it across multiple declarative configurations on macOS 13+ devices. This is exactly how DDM is supposed to work: define once, reference everywhere, and let the device handle the rest. The result is reduced configuration overhead, lower server load, and a cleaner policy architecture that is easier to maintain as your environment grows.

 DDM status item subscription: apps (iOS)

IT administrators have long struggled with incomplete or delayed app status information on iOS. Inventory data sourced solely from traditional MDM check-ins can lag behind reality, leaving admins troubleshooting blind and compliance reports reflecting an outdated picture of the fleet.

By subscribing to the DDM status channel for apps, Workspace ONE UEM automatically subscribes iOS DDM-enrolled devices to app status reporting with no admin setup required. Workspace ONE UEM merges Apple's DDM as the authoritative source for app inventory and installation status with existing MDM records, providing the most complete picture available. This information surfaces through UEM console views, APIs, and event logs, giving administrators accurate, event-driven app status data that makes troubleshooting faster and compliance reporting more reliable.

App management: Less friction, more control

Enterprise App Repository for macOS

Packaging and deploying third-party macOS applications has traditionally been a time-consuming, repetitive process. Keeping up with vendor updates compounds the problem, as each new version requires fresh packaging and redeployment work that pulls admin time away from higher-value tasks. 

The Enterprise App Repository (EAR) was previously only supported for Windows. Now, EAR for macOS gives admins access to a curated catalog of roughly 50 popular third-party macOS applications, including Visual Studio Code, Microsoft Outlook, Microsoft Teams, and more, with simplified deployment workflows and easy updates built in. Select the app, configure it, and deploy it. When the vendor releases a new version, EAR handles the packaging and update, so your team doesn’t have to. EAR for macOS is generally available in 2604. For more on this feature, see the following blog post for more details.

App preservation during UEM migration

Migrations between MDMs have a well-earned reputation for being painful. During migration, every managed app is wiped from the incumbent MDM and reinstalled on the new MDM, leaving users without critical tools at exactly the moment they need them most and generating a surge of support tickets for the IT team.

App preservation during UEM Migration addresses this directly for iOS and iPadOS 26+ devices using automated device enrollment (ADE). When migrating between MDMs, managed apps and their data can remain on the iOS or iPadOS devices, reducing bulk reinstalls, minimizing end-user downtime, and cutting the number of migration-related support tickets that inevitably follow a cutover. It’s worth noting that this feature also works great for customers looking to migrate from an on-premise deployment to a SaaS deployment of Workspace ONE UEM.

Admin UX enhancements for macOS software distribution

Administrators managing macOS applications in Workspace ONE UEM have previously had limited control over how app names are presented, and restrictive workflow fields have prevented deployment to macOS virtual machines. Two targeted updates in 2604 address both gaps.

Admins can now set a custom display name for macOS applications. Admins see the custom app name in the console and users see it in Workspace ONE Intelligent Hub, independent of the internal app name. Additionally, the supported models and minimum OS version fields have been removed from the macOS app workflow, simplifying app deployment to macOS virtual machines. A banner in the console will flag the change when you revisit existing apps in the Workspace ONE UEM console to ensure a seamless experience and keep you informed of any changes.

Even more improvements for managing your Apple fleet

Platform SSO during Setup Assistant

Getting a Mac enrolled and ready for a new user has historically required multiple manual steps at the login screen, adding friction to the out-of-box experience and slowing down Day 1 productivity.

Platform SSO during Setup Assistant brings single sign-on registration into the out-of-box experience itself. Within ADE enrollment, users are guided through Platform SSO registration as part of Setup Assistant. The local macOS account is created automatically, secured with the configured authentication method (password or Secure Enclave), and optionally the user photo syncs as well. One login, and the device is ready. IdP support is required, but for organizations that have invested in modern identity infrastructure, this is a meaningful improvement to the Day 1 user experience.

Separate default DEP profile per platform

Managing a mixed-device fleet with a single default ADE profile for all platforms has long been a source of manual cleanup work. Previously, one default ADE profile applied across all OS platforms on a given token, meaning iOS, macOS, tvOS, and visionOS devices all received the same default enrollment experience regardless of whether that configuration was appropriate for each platform.

In 2604, each platform gets its own default, selected independently from the ADE profiles available on the token. When Apple syncs a device, Workspace ONE UEM matches it to the correct platform default automatically. This results in less manual cleanup post-sync, correct enrollment configurations from the start, and a single DEP token capable of handling a diverse fleet. On upgrade, the prior single default is seeded across all four previously mentioned platforms so existing enrollments remain stable until you are ready to refine them.

Model as a Smart Group criterion for Apple iOS

Creating Smart Groups that target specific Apple hardware generations has required using technical model identifiers that are not always intuitive or easy to maintain, increasing the risk of configuration errors and making hardware lifecycle planning more cumbersome than it needs to be.

A new Model criterion for Apple iOS and iPadOS in Smart Groups under OEM and Model allows admins to target devices using human-readable hardware names, like "iPhone 15 Pro" or "iPad Air 5th Gen," rather than opaque technical identifiers. The model catalog is the same one backing Enrollment Restrictions, so coverage is consistent and automatically updated as Apple releases new hardware. This capability is particularly useful for hardware lifecycle and refresh planning by grouping older or specific device families, and it is supported via Smart Groups V1 and V2 APIs for teams integrating through automation.

Support for Apple OS 26.4

2604 ships with full support for MDM payload and DDM configuration changes introduced in Apple OS 26.4, including updated keys for Restrictions, Parental Controls, and File Provider, plus five new declarative configurations: External Intelligence, Migration Assistant, Intelligence, Keyboard, and Siri.

Dynamic OS Seeding is also now generally available. Workspace ONE UEM automatically pulls new Apple OS versions from Apple's GDMF feed and populates them across the platform, so Smart Groups and OS-version-based assignments stay current without anyone needing to run a seed script.

Ready to explore 2604?

Workspace ONE UEM 2604 is a strong release for Apple management, with meaningful DDM progress, a genuinely useful Enterprise App Repository for macOS, smarter enrollment across device types, and the reliability you expect on day one of a new OS release.

For the full picture, check out the complete 2604 release notes. And as always, if you have questions, your Omnissa team is ready.