Apple’s mobile device management (MDM) protocol is an important part of managing and maintaining macOS, iOS, iPadOS, and tvOS devices at an organization. With nearly every new operating system release from Apple we see new features and functionalities added to the MDM protocol. As it currently stands, MDM is largely a reactive management approach: a device enrolls in a management service, the service pushes down profiles to define the desired state of the device, the device then reports back its status. It can take some jockeying back and forth for the server to confirm a device’s state and take action if necessary. When this back-and-forth happens with a large device footprint it can create a lot of strain on a management server.
The announcement of Declarative Management presents a substantial shift in Apple’s MDM philosophy. This new approach empowers the individual device to act more autonomously and proactively within the confines of policies from its management server. A device will detect its own state changes and take action based on defined criteria rather than waiting to hear back from the management server after phoning home. And instead of waiting for a recurring push for the server to learn about changes on a device, the device can proactively send its updated information directly to the server as needed. As a result, device information should be more accurate and reported back in a more timely fashion, and policies can be applied faster on a device to better maintain desired state.
Declarative Management is made up of three core data models: declarations, status, and extensibility.
Declarations are the payloads that define policy and desired state on a device. Declarations make up the policy an organization wants to define for a device. They are serialized as JSON objects (something worth noting as a change from the current use of plists) and have required properties that allow the policy to synchronize with the management server. Declarations come in four flavors:
- Configurations: similar to what we currently use to apply settings and restrictions on devices (e.g., device passcode settings).
- Assets: the reference data needed by a device for configuration. This data can be hosted by the management server or on a content delivery network (CDN).
- Activations: the set(s) of configuration data that the device will automatically apply. Activations can refer to multiple configurations, resulting in a many-to-many relationship with devices. In a nutshell, activations will allow an MDM the possibility of sending all declarations for any device state to all managed devices, with the individual device determining what to apply. When device state changes, the device can take action autonomously without waiting for intervention from the management server.
- Management: a way to send static information a device, such as information about the organization managing the device and the capabilities of the server.
Status channel is the second declarative management data model. When the device state changes (e.g., when a device updates its OS) the status channel allows the device to report back this change to the management server, which in turn allows the management server to apply new policies that become available.
Extensibility is how a management server and a managed device report to each other when new capabilities are available. Both the server and device know when to take advantage of new features and advertise that information to each other. This means servers and devices are immediately able to utilize new features and payloads.
Apple has already made declarative management available to MDM vendors and is designed to work alongside Apple’s current MDM protocol. This new MDM functionality is going to initially support iOS and iPadOS devices enrolled with user enrollment. Configurations for accounts and passcodes are currently supported, with more features likely to be released in the future. Status subscription configurations are also available and can be used by management servers to specify status updates it wants to receive. The first activation available in declarative management is one that defines the configurations that must be applied on a device. User identity assets and user credential assets are also available now. Initial status items include declaration state and device properties.
Even though declarative management is limited to user enrollments on iOS and iPadOS to start you can think of this like a soft rollout. While no one outside of Apple can say for sure what’s coming in their roadmap, this new functionality is very cool and could really be a game changer for macOS in particular. On-device policy enforcement, proactive device state reporting to a management server and settings being configured in JSON file format (instead of the commonly used plist format) are all pretty exciting to see come to Apple devices.
You can watch the WWDC 2021 session on declarative management on Apple’s Developer Portal. And if you’re eager to see some of this new MDM functionality come to macOS make sure to file feedback with Apple.