What is Apple Declarative Device Management?

Essentially all Apple MDM services are built with Apple’s MDM protocol as the primary underlying mechanism. This protocol is what gives life to Apple device management. While many features have been added to the Apple MDM protocol over the years, the structure of the protocol itself has remained largely unchanged. At WWDC 2021, Apple announced a new version of this protocol that introduces new concepts and mechanisms that expand upon what is already provided.

The current version of the MDM protocol is described by Apple as “reactive”. When an MDM sends a command to a device, it involves multiple exchanges between the device and the MDM server in order to apply a single change. In order for MDM to detect a change that has occurred on the device itself, such as an OS update, MDM must poll the device for the information – the device doesn’t notify MDM.

The new version, which Apple is calling “declarative management”, is designed to be more lightweight for the server and allows devices to be more autonomous and proactive. In other words, devices can respond to changes in state and apply additional logic based on those changes without prompting from the MDM server. Additionally, devices can now notify the MDM server when certain changes occur.

Declarative device management functionality will initially be available for user-enrolled iOS devices only.

Apple describes the declarative management protocol as having three “pillars”: Declarations, Status Channel, and Extensibility.

Declarations

Declarations are used to convey a policy – they can be used for configuring things like accounts, settings, and restrictions. These can be applied deployment-wide, or can be specific to individual users or devices.

There are four types of declarations:

• Configurations: These are similar to the existing configuration profiles. One of the main differences between declarations and configuration profiles is that declarations are sent to devices in the form of a JSON object rather than a plist file.

• Assets: These reference data that is needed by configurations. They can reference data from the MDM server, or from a separate CDN. This data can also be specific to a user. As an example, an asset can reference data from an identity provider to populate information such as username, email address, passwords, certificates, etc. This could be used by multiple configurations to reference user-specific data. The benefit is that instead of having to update multiple configurations to reflect changes in this data, only the asset would need to be changed and all configurations referencing it would receive the change.

• Activations: These represent sets of configurations that will be applied to devices, somewhat similar to a “blueprint”. Activations have a many-to-many relationship with configurations. This means that complex logic can be applied to determine when the configurations will be installed. For example, this allows admins to specify a set of policies that will only be applied to a set of devices when they are running a certain OS version. These will be re-evaluated when device states change, allowing for different policies to be applied without interaction from MDM.

• Management: This type of declaration is used to convey information about the overall state of management for the device, such as organization information.

Status channel

The Status Channel allows an MDM server to subscribe to certain changes in device state, which can allow for additional changes to be applied. For example, this allows an MDM server to receive notifications from devices when a device upgrades the OS version, which can then allow for additional policies to be modified.

Extensibility

This allows both MDM and devices to report to each other when certain capabilities become supported. For example, if a device OS is updated and a feature supported by the MDM is now available, it will report that and take on the change from MDM. Similarly, if the MDM service is updated to support a new feature that is compatible with the device, it will notify the device and it will receive the change. This helps with ensuring that devices will receive prescribed updates when they meet the requirements designated by the MDM.

Declarative Management is designed to co-exist seamlessly with the existing MDM protocol, meaning that MDMs can take on a gradual adoption of the new functionalities without any interruption in the existing functionalities.