Apple declarative device management is a new paradigm that makes devices more autonomous. It specifies a desired state and then allows devices to apply logic asynchronously without prompting from the mobile device management (MDM) server. This proactive approach is the future of MDM, having been a hot topic at Worldwide Developers Conference (WWDC) 2021, WWDC 2022, and WWDC 2023. We’ll break down what you should know about Apple declarative device management.
The history of Apple’s MDM protocol
Essentially, all Apple MDM services are built with Apple’s MDM protocol as the primary underlying mechanism. This protocol gives life to Apple device management. While Apple has added many features to its MDM protocol over the years, the structure itself remained largely unchanged.
However, at WWDC 2021, Apple announced a new paradigm with concepts and mechanisms that expanded upon the existing protocol. Declarative device management (DDM) was born.
Declarative device management functionality was initially available only for a user-enrolled iOS device, but Apple continues to expand DDM’s capabilities, including making DDM available for all enrollment types supported by MDM across all Apple devices, including Apple Watch and Apple TV.
Starting with iOS 16, iPad OS 16, macOS Ventura, tvOS 16, and watchOS 10, all current operating systems are expected to continue to support DDM for all enrollment types supported by MDM, including User Enrollment and Automated Device Enrollment (formerly Apple Device Enrollment Program or Apple DEP).
DDM is also available for Shared iPad, and Apple provides a migration path for legacy profiles.
Reactive vs. proactive MDM protocol
The former version of the MDM protocol took a reactive approach. When an MDM sent a command to a managed device, multiple exchanges between the device and the MDM server took place to apply a single change. For MDM to detect a change that occurred on the device itself, such as an OS update, the MDM had to poll the device for the information rather than the device automatically notifying the MDM.
Declarative management is an updated proactive version designed to be more lightweight for the server and allow devices more autonomy. In other words, devices can respond to changes in state and apply additional logic based on those changes without prompting from the MDM server. Additionally, a device can now notify the MDM server when certain changes occur.
The three pillars of declarative device management
Apple describes the declarative management protocol as having three pillars: declarations, status channel, and extensibility.
Declarations convey a policy. They can be used for configuring things like accounts, settings, and restrictions, and they can be applied deployment-wide or specific to individual users or devices.
There are four types of declarations:
Configurations are similar to the existing configuration profiles. One of the main differences between declarations and configuration profiles is that declarations are sent to devices in the form of a JSON object rather than a .PLIST file.
Assets reference data needed by configurations. They can reference data from the MDM server or a separate CDN. This data can also be specific to an end user.
As an example, an asset can reference data from an identity provider to populate information, such as username, email address, passwords, certificates, etc. This could be used by multiple configurations to reference user-specific data. The benefit is that instead of having to update multiple configurations to reflect changes in this data, only the asset would need to be changed — all configurations referencing the asset would receive the change.
Activations represent sets of configurations that are applied to devices, somewhat similar to a blueprint. Activations have a many-to-many relationship with configurations, which means that complex logic can be applied to determine when the configurations are installed.
For example, admins can specify a set of policies that are only applied to a set of devices when they run a certain OS version. These are re-evaluated when device states change, allowing for different policies to be applied without interaction from MDM.
A management declaration conveys information about the overall state of management for the device, such as organization information.
The status channel allows an MDM server to subscribe to certain changes in device state, which can allow for additional changes to be applied. For example, an MDM server can receive notifications when a device upgrades the OS version, which can then allow for additional policy modification.
Extensibility allows both MDM and devices to report to each other when certain capabilities become supported.
For example, if a device OS updates and a feature supported by the MDM becomes available, the device reports that and takes on the change from the MDM. Similarly, if the MDM service updates to support a new feature that is compatible with the device, the MDM notifies the device, which receives the change. This helps ensure that devices receive prescribed updates when they meet the requirements designated by the MDM.
Benefits of declarative device management
Over the years, Apple’s added enhancements to declarative device management have increased the potential benefits for MacAdmins. Now, the components of declarative device management can greatly enhance the experience for both users and administrators. Here are a few potential advantages:
Enhanced user experience
Closer device monitoring through asynchronous updates
Reduced network bandwidth usage
Lower complexity than polling
Improved managed software updates
Declarative management is designed to coexist seamlessly with the existing MDM protocol, meaning that MDMs can take on a gradual adoption of the new functionalities without any interruption in the existing functionalities. The right MDM solution further streamlines device management to save you time and energy. Sign up for a free 30-day trial of SimpleMDM to see how easy managing Apple devices can be.