MDM: a reactive management approach
Apple’s Mobile Device Management (MDM) protocol is an important part of managing and maintaining macOS, iOS, iPadOS and tvOS devices at an organization. With nearly every new operating system release from Apple, we see new features and functionalities added to the MDM protocol. As it currently stands, MDM is largely a reactive management approach: a device enrolls in a management service, the service pushes down profiles to define the desired state of the device, the device then reports back its status. It can take some jockeying back and forth for the server to confirm a device’s state and take action, if necessary. When this back-and-forth happens with a large device footprint, it can create a lot of strain on a management server.
Proactive, more autonomous device action with DDM
The announcement of Declarative Device Management (DDM) presents a substantial shift in Apple’s MDM philosophy. This new approach empowers the individual device to act more autonomously and proactively within the confines of policies from its management server. A device will detect its own state changes and take action based on defined criteria rather than waiting to hear back from the management server after phoning home. And instead of waiting for a recurring push for the server to learn about changes on a device, the device can proactively send its updated information directly to the server as needed. As a result, device information should be more accurate and reported back in a more timely fashion and policies can be applied faster on a device to better maintain its desired state.
DDM’s three core data models: declarations, status and extensibility
Declarations are the payloads that define policy and desired state on a device. Declarations make up the policy an organization wants to define for a device. They are serialized as JSON objects (something worth noting as a change from the current use of plists) and have required properties that allow the policy to synchronize with the management server. Declarations come in four flavors:
- Configurations: similar to what we currently use to apply settings and restrictions on devices (e.g., device passcode settings).
- Assets: the reference data a device needs for configuration. This data can be hosted by the management server or on a Content Delivery Network (CDN).
- Activations: the set(s) of configuration data that the device will automatically apply. Activations can refer to multiple configurations, resulting in a many-to-many relationship with devices. In a nutshell, activations will allow an MDM the possibility of sending all declarations for any device state to all managed devices, with the individual device determining what to apply. When device state changes, the device can take action autonomously without waiting for intervention from the management server.
- Management: a way to send static information to a device, such as information about the organization managing the device and the capabilities of the server.
When the device state changes (for example, when a device updates its OS), the status channel allows the device to report back this change to the management server, which in turn allows the management server to apply new policies that become available.
Extensibility is how a management server and a managed device report to each other when new capabilities are available. Both the server and device know when to take advantage of new features and advertise that information to each other. This means servers and devices are immediately able to use new features and payloads.
Why should you adopt Declarative Device Management?
DDM will help reshape device management for all stakeholders. It will:
- Support new, complex management strategies
- Enhance the overall user experience of managed devices
- Alleviate the repetitive and tedious tasks of an IT admin
- Empower devices to be the driver in their own management state
Benefits of DDM: Declarations and Status
To best answer why you should adopt this model, you need to understand the benefits of the device management data model. Two key elements that make up this model — Declarations and Status — were discussed earlier.
- Declarations encompass activations and predicates, configurations, assets and management types.
- Status covers status items and status reporting.
Diving further into Status, status reports provides a rich feedback channel, enabling management servers to monitor devices more closely. Additionally, it allows for presenting pertinent information in a more timely and reliable manner through asynchronous updates. This change not only improves efficiency by using less network bandwidth resources, but reduces the complexity of the traditional polling method. This traditional method could lead to device information not being current— Status increases reliability in the process.
Advantages to DDM for developers and IT
For developers, the declarative data model allows your servers to be lightweight and reactive. For IT, this approach inspires confidence that a device will be in its expected state. In the event where it is not, such as a loss of connectivity to the server, there exists a safe state that keeps sensitive organizational data protected.
For both, in closely mapping to how organizations are structured, changes to devices become more intuitive and are implemented more efficiently. This means a simpler effort from both developers and IT, enabling them to focus on the device management features that the organization needs. This creates a solution customers and end-users will love,with:
- A more responsive and reliable experience
- Faster onboarding of end-user devices
- Quicker recovery times in the device lifecycle
- Better support from their organization
With efficiency and a better experience for developers, IT and of course end-users in mind, Apple has made it resoundingly clear that “the focus of future protocol features will be declarative device management.” This makes it even more important to implement workflows that will support adoption of DDM today.
What new features did Apple announce for DDM at WWDC ’22?
The presentation at WWDC 2022 focused on three areas specifically and how the OS’s in the Apple ecosystem of products support them by:
Expanding the scope of declarative device management
Initially, DDM was only supported on iOS-based systems with user enrollments. Now, it is available for every platform and enrollment type that is supported by the MDM protocol. This support begins with macOS Ventura and tvOS 16, as well as Shared iPad with:
- Automatic device enrollment
- Supervised devices
- Profile-based enrollment
- Profile and account-based user enrollments
Enhancing status reports
By incrementally reporting status to the server for subscribed items, devices can track successful responses to ensure status updates are reliable and always available. This makes devices proactive, as servers no longer continuously poll devices watching for state changes. As a status item that can be iteratively updated, Apple expanded status in three areas:
- Passcode state determines if devices with passcode policies enabled are compliant without being affected by lag between policy assignment and when it is applied on the device. Also, the declarative model enforces compliance without necessitating polling the device.
- Accounts installed by configurations: Organizations often use devices with account configurations installed to give users access to company resources. The new DDM status release added eight account status items for multiple account types, like mail and calendar, for example. This provides IT insight into the status of these accounts, to help support users resolve problems.
- MDM-installed apps: Monitoring app install status can have a great effect on the user’s experience and their ability to get work accomplished. By using attributes in a JSON object, DDM proactively sends app install progress to the server, reporting the status incrementally. This allows the server to immediately identify which app is being reported and what its state is throughout the install (and uninstallation) process.
Predicates are optional data that determine whether configurations (as part of the Activations declaration) will be applied to the device. By using predicates to include status values, administrators can apply new management properties byadding new declarations. In lay terms, predicates act as triggers for applying multiple management properties, based on conditional statements.
For example, say there is a policy that installs a specific app for all users that match a particular group. Members of other groups do not get this app, unless they are also members of the admin group. Lastly, users that are not members of either group are assigned a different app altogether.
This requires three separate configuration profiles and server-side logic to poll each device and user to determine membership levels before deploying the appropriate configuration profiles — up to three depending on the user. With DDM, the full set of declarations is preloaded onto the device, with predicates that trigger the activation of the configurations for the roles that match.
Overall this minimizes both server and network traffic, while reducing the complexity of requiring rapid changes in device state. This executes smoother, more immediate device management workflows by moving complex business logic from the server to the device.
Note: macOS and Shared iPad devices use two MDM channels: device and user. The former allows management of device level state; the latter channel targets management state for specific users. For Declarative Management to be successful, each corresponding channel that is to send DDM commands or generate status reports must be enabled and monitored separately.
When will DDM be ready?
Apple has already made declarative management available to MDM vendors and is designed to work alongside Apple’s current device management protocol. This new functionality is going to initially support iOS and iPadOS devices enrolled through user enrollment. Configurations for accounts and passcodes are currently supported, with more features likely to be released in the future. Status subscription configurations are also available and can be used by management servers to specify status updates it wants to receive. The first activation available in declarative management is one that defines the configurations that must be applied on a device. User identity assets and user credential assets are also available now. Initial status items include declaration state and device properties.
For an in-depth introduction to DDM and the steps needed to adopt it, watch the WWDC 2021 session on Apple’s Developer Portal.
Jamf has been reviewing the impact of Declarative Device Management on Jamf Pro along with Jamf Now and Jamf School and will be making announcements soon about how we will support this exciting feature.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.