IT professionals who manage Apple devices must prioritize consistency and robust security at the top of their list. They face the challenge of effectively overseeing various system services and background tasks while maintaining uniform configurations and safeguarding the organization’s data. Recognizing these complexities, Apple announced an advanced and powerful approach called Declarative Device Management (DDM), marking a major step away from the world of Mobile Device Management (MDM).
The Future of Device Management
DDM truly revolutionizes device management. Starting with macOS Ventura and iOS and iPadOS 15 and now being fully realized with the upcoming releases of macOS Sonoma and iOS and iPadOS 16, DDM offers a more efficient and secure means of administering macOS and iOS devices. Declarative Device Management introduces tamper-resistant configurations that simplify monitoring system services and background tasks. Not only that, but it’s more lightweight, allowing devices autonomy and proactivity.
Devices actively respond to changes in their state and autonomously apply the necessary changes based on that state This eliminates the need for your MDM servers to continually poll devices for state and then push changes when required. Devices now send notifications to the MDM server when changes occur so you always know the most up-to-date state of your fleet.
Apple’s DDM in macOS Sonoma completely transforms system service management, certificate and identity administration, and breaks away from traditional Mobile Device Management (MDM) systems. DDM enforces uniform configurations across all devices by utilizing tamper-resistant system configuration files, and it enhances protection against accidental changes made by users.
Declarations, Status, and Extensibility
Declarative Device Management encompasses three core data models: declarations, status, and extensibility. Let’s delve into each one to gain a better understanding of their roles and significance.
Declarations play a crucial role in DDM as they define policies and desired states for devices (such as Enable File Vault, setting minimum password requirements, and applying all critical updates immediately). When an organization wants to establish specific rules and configurations for a device, they utilize declarations. These declarations are serialized as JSON objects, differing from the previous use of plists. They consist of essential properties that facilitate synchronization with the management server.
There are four distinct declaration types:
1. Configurations: These are akin to the settings and restrictions currently employed for devices, such as device passcode settings delivered via MDM Profiles. Configurations enable organizations to apply specific settings (i.e.: setting Passcode settings for devices), ensuring adherence to desired policies.
2. Assets: Assets refer to the reference data required by Configurations for successful setup. This data can include MDM URLs, device User Information, and Certificates necessary to establish trust. Organizations leveraging assets can streamline the configuration process and ensure devices have access to the necessary resources. Assets can support one or more Configurations.
3. Activations: Activations encompass sets of Configurations automatically. This means that if a single Configuration with an Activation fails, none of the Configurations will apply to that device, preventing conflicts later. Many Activations can include the same Configuration. This many-to-many relationship provides you with unprecedented power. In simpler terms: device management solutions can send Activations to many devices, and only those devices that the Configurations within the Activation that apply will install them.
Activations also include a new capability called Predicates. Predicates provide the ability to set conditional rules for the application of the Configurations. You will be able to build rules such as “if device is iPad Then….”
4. Management: The management aspect revolves around sending static information to a device, such as details pertaining to the organization responsible for device management and the capabilities of the server. This information ensures devices possess the necessary context and knowledge about their management environment.
The Status Channel allows your device management solution to subscribe to only the updates from the device it wishes to understand. Today, Mobile Device Management is an all-or-none solution. With the new Status Channel, unnecessary communication from each device to the device management servers is minimized, but you still have full access to everything you need to know and ensure compliance.
Finally, we encounter Extensibility, which plays a pivotal role in keeping the management server and managed devices in sync regarding new capabilities. Both the server and device possess the awareness to recognize when new features are available and actively communicate this information to each other. This real-time exchange ensures that servers and devices can promptly leverage and incorporate new features and payloads into their operations. By embracing Extensibility, the system remains adaptable and future-proof, accommodating advancements and enhancements without delay.
Declarative Device Management and MDM
DDM works alongside today’s MDM. The path to upgrade devices from using MDM today to using DDM will happen seamlessly. Devices currently enrolled with traditional MDM will migrate to DDM under the hood as the device moves to OS versions that support DDM.
The Future and Addigy
Addigy’s product team has already proactively begun incorporating DDM into our existing tool, embracing a future-focused approach. DDM represents a noteworthy advancement in how we approach and understand device management, including all important software updates. DDM not only streamlines administrative tasks but also enhances the overall security, performance, and integrity of the devices managed by Apple device administrators.
Devices managed with Addigy’s device management tool will automatically begin transitioning to DDM as the capabilities now handled via MDM arrive in DDM.