Last updated June 8, 2021
Essentially all Apple MDM services are built with Apple’s MDM protocol as the primary underlying mechanism. This protocol is what gives life to Apple device management. While many features have been added to the Apple MDM protocol over the years, the structure of the protocol itself has remained largely unchanged. At WWDC 2021, Apple announced a new version of this protocol that introduces new concepts and mechanisms that expand upon what is already provided.
The current version of the MDM protocol is described by Apple as “reactive”. When an MDM sends a command to a device, it involves multiple exchanges between the device and the MDM server in order to apply a single change. In order for MDM to detect a change that has occurred on the device itself, such as an OS update, MDM must poll the device for the information – the device doesn’t notify MDM.
The new version, which Apple is calling “declarative management”, is designed to be more lightweight for the server and allows devices to be more autonomous and proactive. In other words, devices can respond to changes in state and apply additional logic based on those changes without prompting from the MDM server. Additionally, devices can now notify the MDM server when certain changes occur.
Declarative device management functionality will initially be available for user-enrolled iOS devices only.
Apple describes the declarative management protocol as having three “pillars”: Declarations, Status Channel, and Extensibility.
Declarations are used to convey a policy – they can be used for configuring things like accounts, settings, and restrictions. These can be applied deployment-wide, or can be specific to individual users or devices.
There are four types of declarations:
The Status Channel allows an MDM server to subscribe to certain changes in device state, which can allow for additional changes to be applied. For example, this allows an MDM server to receive notifications from devices when a device upgrades the OS version, which can then allow for additional policies to be modified.
This allows both MDM and devices to report to each other when certain capabilities become supported. For example, if a device OS is updated and a feature supported by the MDM is now available, it will report that and take on the change from MDM. Similarly, if the MDM service is updated to support a new feature that is compatible with the device, it will notify the device and it will receive the change. This helps with ensuring that devices will receive prescribed updates when they meet the requirements designated by the MDM.
Declarative Management is designed to co-exist seamlessly with the existing MDM protocol, meaning that MDMs can take on a gradual adoption of the new functionalities without any interruption in the existing functionalities.
Have questions about Declarative Management? Feel free to leave a comment below.