Declarative Device Management A New Way of Managing Apple Devices

In this article, we will learn about Declarative Device Management, a New way of Managing Apple devices. I hope we are helping you learn something new and valuable solutions at your workplace.

Apple has always enabled tools for enterprises and Education organizations to meet their management requirements. The backbone of this device management is the MDM protocol, which is heavily used and embedded directly into macOS, iOS, and TVOS. Current MDM protocol can be defined as reactive and imperative.

An autonomous device can be reactive and apply management controls by looking at its state without contacting the MDM server. This allows the device to asynchronously apply settings and report status back to the MDM solution without constant polling, which is ideal for performance and scalability.

DDM is not a new protocol, but it’s a new paradigm. Apple has made significant improvements to DDM since its first announcement. Declarative device management gives organisations more confidence that devices are in the desired state and that essential data is kept secure, even without internet connectivity.

Patch My PC

What is Declarative Device Management

As discussed above, Declarative device management is an update to the existing protocol for device management that can be used in combination with the existing MDM protocol capabilities. This protocol allows the device to asynchronously apply settings and report the status to the MDM solution without constant polling.

DDM gives organizations more confidence that their devices are in the required status and that data is secured even without internet connectivity. Status reporting allows the device to share information about the device’s current state.

If there are any changes, these can be reported to the server proactively without polling the device or waiting for the next sync cycle for updates. A simple management command will take multiple round trips from devices to servers, which is time-consuming.

So Apple reenvisioned the entire MDM protocol and called it Declarative Device Management(DDM), which was introduced at the Worldwide Developers Conference (WWDC) 2021. This protocol allows devices to be autonomous and proactive, which will enable MDM Servers to be lightweight and reactive.

Adaptiva
Declarative Device Management: A New Way of Managing Apple Devices Fig: 1
Declarative Device Management: A New Way of Managing Apple Devices Fig: 1 (image source WWDC 21)

For example, in the legacy MDM protocol, the MDM server detects a change that occurred on the device level, such as an OS update, and the MDM solution has to poll the device for the information.

With the DDM, the device automatically responds to changes in state and applies additional logic based on those changes without prompting from the MDM server. As per Apple Declarative Device Management protocol has three pillar.

  • Declaration
  • Status Channel
  • Extensibility

Declaration

Declarations are used to define the policies that organizations want to define. They can be used to configure things like accounts, settings, and restrictions and can be applied to all users or specific to individual users or devices. There are four types of declarations.

  • Configurations 
  • Assets
  • Activations
  • Management

Configurations: Configurations represent the policies to be applied to devices, such as accounts, settings, and device restrictions. This is similar to configuration profiles. The declarations are sent in JSON format, while the configuration profiles are sent in .PLIST format.

Assets: Assets reference data that is required by configurations. This data can be a large/small file stored in an MDM server or separate Content Delivery Network Servers. Assets can also used to represent data such as username, account name, email address and password for the user accounts.

Multiple Configurations can use assets to reference user-specific data. If you need to update various configurations to reflect changes in this data, we can use this asset instead of updating multiple. An asset will have one too many relations.

Activations: Activations represent a set of configurations that are automatically applied to devices. Activations have a many-to-many relationship with configurations, which means that complex logic can be applied to determine when the configurations are installed.

For example, an admin can set a set of configurations that are only applied to a set of devices when they run specific device models. These are re-evaluated when device states change, allowing different policies to be applied without interaction from MDM.

Management: Management types of declarations are used to represent the overall management state of a device, Organizational information and capabilities of the MDM Server. This type of declaration is helpful in conveying the static information to the devices.

Status Channel

The Status Channel is the second pillar of new Declarative Device Management. The device state may not always match the state defined in the Declarations, and sometimes, applying the declared state of the device may require manual interaction.

In other words, Apple created a Status Channel to view the visibility of device state transitions. The MDM Server can subscribe to receive the status of specific changes on devices. The status reports are incremental and have only changed items reported. To understand better, an MDM server can receive notifications when a device upgrades the OS version, allowing additional policy modification.

Extensibility

The third Pillar of Declarative data models is Extensibility. This allows MDM solutions and devices to report to each other when specific capabilities are supported. Maintaining compatibility between MDM Solutions and Apple Devices is helpful, especially when OS updates and hardware models are released.

When a device OS updates and a feature supported by the MDM becomes available, the device reports that and takes on the change from the MDM. Likewise, if the MDM service updates to support new features compatible with the device, the MDM notifies the device that the change has been received.

The things we discussed above are for MDM providers. All MDM providers can use the declarative data model and create their solutions. Apple is introducing new features gradually, and the current solution coexists with the current MDM Protocol, so the MDM providers can adapt progressively the new Declarative Data model into their MDM Solutions.

Intune Support Declarative Device Management Protocol

Intune announced the Support of Declarative device management in August 2022. Microsoft is the first in the market to support Declarative device management. Currently, Intune supports configuring DDM policies using the iOS/iPadOS and MacOS settings catalogue.

Since Declarative Device model coexists with older MDM protocol, Intune enables admins to send the policy that is created in the settings catalog and a DDM-based policy to DDM enabled devices as well as send the standard MDM-based policy to those devices still using the older protocol. Let’s see what are the settings Intune supports using DDM

Declarative Device Management: A New Way of Managing Apple Devices Fig: 2
Declarative Device Management: A New Way of Managing Apple Devices Fig: 2

Click on Nex Policy under profile type and select Settings catalogue as Intune added DDM protocol to the settings catalog.

Declarative Device Management: A New Way of Managing Apple Devices Fig: 3
Declarative Device Management: A New Way of Managing Apple Devices Fig: 3

Now provide the Name and description of the policy and click on Next. In the settings catalogue, click on +add settings. This will open a new windows with the settings that can be configured.

Now search for Declarative, you can view there are two results for our search. Declarative Device Management Software Management and Passcode. Currently, Intune supports these two settings. Similarly, Intune supports DDM settings for iOS/iPadOS.

Declarative Device Management: A New Way of Managing Apple Devices Fig: 4
Declarative Device Management: A New Way of Managing Apple Devices Fig: 4

Conclusion

Apple made significant updates and added new features after the announcement of WWDC 2021. Declarative Device Management empowers devices to autonomously make decisions and execute tasks without the need for continuous supervision from administrators. This leads to a more dynamic and proactive approach to managing devices. We will meet again in another article. Till then, have a happy learning.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

About Author – Narendra Kumar Malepati (Naren) has 12+ years of experience in IT, working on different MDM tools. Over the last seven years, Naren has been working on various features of Intune, including migration from different MDMs to Intune. Naren mainly focuses on Android, iOS, and MacOS.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.