Apple’s Declarative Device Management enhances device autonomy by introducing a paradigm shift. It specifies the desired state for devices, enabling them to apply logic asynchronously without requiring continuous prompts from the MDM server.
WWDC 2024 highlighted DDM through new features like managing Safari extensions and expanding on capabilities for managing service configurations.
So what's all the fuss about DDM? Let's get into it!
The history of Apple’s MDM protocol
Apple’s MDM services are fundamentally based on its MDM protocol, which is the core mechanism for managing Apple devices. Although Apple has introduced many enhancements to its MDM protocol over the years, the underlying structure has remained largely unchanged.
At WWDC 2021, Apple introduced a groundbreaking new paradigm with concepts and mechanisms that expanded upon the existing protocol: Declarative Device Management (DDM).
Initially, Declarative Device Management (DDM) was available only for user-enrolled iOS devices. However, Apple has progressively expanded Declarative Device Managements capabilities, now supporting all enrollment types across all Apple devices, including the Apple Watch and Apple TV.
Starting with iOS 16, iPad OS 16, macOS Ventura, tvOS 16, and watchOS 10, all current operating systems are expected to continue to support Declarative Device Management for all enrollment types supported by MDM, including User Enrollment and Automated Device Enrollment (formerly Apple Device Enrollment Program or Apple DEP).
Declarative Device Management (DDM) is also available for Shared iPad, and Apple provides a migration path for legacy profiles.
Reactive vs. proactive MDM protocol
To understand Declarative Device Management, try to think of the MDM Protocol as reactive (old) vs. proactive (DDM).
The earlier version of the MDM protocol followed a reactive approach. When an MDM server sent a command to a managed device, multiple exchanges were required to implement a single change. For instance, to detect changes like an OS update, the MDM had to regularly poll the device for information, rather than the device automatically notifying the MDM server,
Declarative management is a modern, proactive approach designed to be more lightweight for the server and provide greater autonomy for devices. This means that devices can respond to state changes and apply additional logic independently, without needing prompts from the MDM server. Additionally, devices can now notify the MDM server when certain changes occur.
DDM Analogy:
Think of the MDM protocol changes as traditional gardening vs. modern gardening. 🌱
Traditional MDM (reactive): Like a gardener who must constantly check and react to the needs of each plant, traditional MDM requires the server to regularly poll devices, check their status, and send commands based on those checks.
DDM (proactive): Like a state-of-the-art smart garden system that monitors, waters, and fertilizes automatically, DDM enables devices to autonomously manage their configurations and report significant changes back to the MDM server. This reduces the need for constant polling and allows devices to handle many tasks independently.
The three pillars of declarative device management
Apple describes the declarative management protocol as having three pillars: declarations, status channel, and extensibility.
Declarations
Declarations convey a policy. They can be used for configuring things like accounts, settings, and restrictions, and they can be applied deployment-wide or specific to individual users or devices.
There are four types of declarations:
Configurations
Configurations are similar to the existing configuration profiles. One of the main differences between declarations and configuration profiles is that declarations are sent to devices in the form of a JSON object rather than a .PLIST file.
Assets
Assets reference data needed by configurations. They can reference data from the MDM server or a separate CDN. This data can also be specific to an end user.
As an example, an asset can reference data from an identity provider to populate information, such as username, email address, passwords, certificates, etc. This could be used by multiple configurations to reference user-specific data. The benefit is that instead of having to update multiple configurations to reflect changes in this data, only the asset would need to be changed — all configurations referencing the asset would receive the change.
Activations
Activations represent sets of configurations that are applied to devices, somewhat similar to a blueprint. Activations have a many-to-many relationship with configurations, which means that complex logic can be applied to determine when the configurations are installed.
For example, admins can specify a set of policies that are only applied to a set of devices when they run a certain OS version. These are re-evaluated when device states change, allowing for different policies to be applied without interaction from MDM.
Management
A management declaration conveys information about the overall state of management for the device, such as organization information.
Status channel
The status channel allows an MDM server to subscribe to certain changes in device state, which can allow for additional changes to be applied. For example, an MDM server can receive notifications when a device upgrades the OS version, which can then allow for additional policy modification.
Extensibility
Extensibility allows both MDM and devices to report to each other when certain capabilities become supported.
For example, if a device OS updates and a feature supported by the MDM becomes available, the device reports that and takes on the change from the MDM. Similarly, if the MDM service updates to support a new feature that is compatible with the device, the MDM notifies the device, which receives the change. This helps ensure that devices receive prescribed updates when they meet the requirements designated by the MDM.
Benefits of declarative device management
Over the years, Apple’s added enhancements to declarative device management have increased the potential benefits for MacAdmins. Now, the components of declarative device management can greatly enhance the experience for both users and administrators. Here are a few potential advantages:
Enhanced user experience
Increased reliability
Closer device monitoring through asynchronous updates
Reduced network bandwidth usage
Lower complexity than polling
Faster onboarding
Improved managed software updates
Declarative management is designed to coexist seamlessly with the existing MDM protocol, meaning that MDMs can take on a gradual adoption of the new functionalities without any interruption in the existing functionalities. The right MDM solution further streamlines device management to save you time and energy. Sign up for a free 30-day trial of SimpleMDM to see how easy managing Apple devices can be.
