Category filter
Understanding Declarative Device Management
The following document will give you an understanding of Declarative Device Management on Apple devices.
Imagine a company that requires all its devices to have a strong passcode. To enforce this, it deploys a passcode policy with specific rules. If a device does not comply, it is marked as non-compliant. In traditional MDM, the server must constantly check the device’s compliance status, creating a back-and-forth exchange. Once the user updates the passcode to meet company requirements, the device becomes compliant, and the server will know this information the next time it checks the device. However, this back-and-forth reactive process leads to delays in status updates and increases server load. Now, imagine managing thousands of devices this way, it becomes a hassle.
Apple’s Declarative Device Management (DDM) changes this. Instead of the MDM server constantly polling devices for a status update, devices proactively monitor themselves and notify the MDM only when needed, such as when there is a change in compliance status, as in the above example. By shifting control to the device, DDM speeds up status updates and reduces the load on the MDM server. Let’s dive deeper into how DDM reshapes the way organizations manage Apple devices.
Difference between Reactive and Proactive MDM protocols
To understand how DDM works, it’s important to first compare reactive and proactive approaches to device management. This gives an idea on how a traditional MDM protocol differs from declarative management protocol.
| Aspect | Reactive Approach (Traditional MDM) | Proactive Approach (DDM) |
|---|---|---|
| Compliance | The MDM server checks if a device complies with policies at fixed regular intervals. | The device monitors its own compliance and applies policies automatically. |
| Communication | Frequent back-and-forth communication between the device and the MDM server. | Minimal communication, devices notify the server only when necessary. |
| Response Time | Compliance status updates are delayed due to server dependency. | Changes are notified instantly, reducing delays. |
| Scalability | Managing large fleets increases server load and slows down operations. | Efficient for large-scale deployments with minimal server strain. |
| Device Autonomy | Devices rely on the MDM server for instructions and compliance checks. | Devices make real-time decisions and act autonomously. |
| Efficiency | More resources are consumed due to repeated policy checks. | Optimized performance with reduced server workload. |
In summary, the traditional MDM protocol follows a reactive approach, where the MDM server constantly communicates back and forth at fixed intervals with the device to confirm a single change. Now, with DDM, a proactive approach is followed, where the device monitors any state changes and autonomously notifies the MDM server when certain changes occur, reducing the load on the MDM server.
How does Declarative Device Management work?
Declarative Device Management consists of three important components:
-
Declarations
Declarations are payloads defined by the MDM that represent the settings an organization wants to enforce on devices. There are four types of declarations:
- Configurations: These declarations function similarly to configuration profiles, applying changes to device settings. For instance, they’re used to modify settings like Wi-Fi/VPN, or restrict certain device functionalities. However, instead of using the .PLIST format, declarations are sent as JSON objects.
- Assets: These declarations serve as resources for configurations. For instance, a certificate authority (CA) certificate is an asset used to authenticate a Wi-Fi configuration. Assets are not directly applied to devices but can be used with multiple configurations, tailored to different data requirements or specific end users.
- Activations: These declarations define conditions for applying configurations and assets, ensuring they are enforced based on specific circumstances, such as when a device is upgraded to a particular OS version. For example, an activation declaration could apply different Wi-Fi settings for company-owned devices versus employee-owned devices.
- Management: These declarations proactively communicate the overall status of a device to the MDM server. For example, a management declaration might report a device’s battery health, alerting the MDM if it falls below a certain threshold.
-
Status Channel
The Status Channel facilitates proactive communication between the MDM server and devices. Each device feature has a specific status channel for communication. MDM servers subscribe to certain status channels they want to monitor, which requires constant polling of devices for updates at every stage. Based on the subscribed status channels, devices report as needed for every major update autonomously. When a significant change occurs on a subscribed channel, such as non-compliance with a passcode policy or the successful installation of an application, the device automatically sends an update to the MDM server. This ensures the server always has the latest device status on the required information without stressing continuous back-and-forth communication.
-
Extensibility
Extensibility allows both MDM servers and devices to dynamically adapt to new capabilities as they become available. For example, when a device updates its OS and gains support for an MDM feature, it informs the MDM server and applies the necessary configurations. Likewise, if the MDM server introduces a new feature compatible with the device, it notifies the device, which then incorporates the update. This two-way communication ensures that devices receive the prescribed updates as soon as they meet the MDM-defined requirements. This adaptive nature not only ensures scalability in device management for future updates but also allows devices to stay up to date with the latest management capabilities.
How does Hexnode UEM work with Declarative Device Mangement?
Devices enrolled via Device Enrollment support Declarative Device Management on:
- macOS 13.0 and later
- iOS 16.0 and later
- iPadOS 16.0 and later
- tvOS 16.0 and later
- visionOS 1.1 and later
- watchOS 10.0 and later
Devices enrolled via User Enrollment support Declarative Device Management on:
- iOS 15 or later
- iPadOS 15 or later
Whenever a compatible device is enrolled in Hexnode UEM, an activation command is sent after the first device scan, activating Declarative Device Management on those devices.
Declarative management status can also be verified by:
- Navigating to Manage > Devices.
- Selecting the desired device.
- In the Device Summary section, check under the Enrollment Details tile.
If Declarative Device Management has not been activated on the device, click on the refresh icon to initiate the process manually.
Once activated, devices will autonomously share their status reports with the Hexnode UEM server.
Once Declarative Device Management is enabled on a device, it cannot be disabled. The device must be disenrolled from Hexnode UEM to remove the declarative management state.
Currently, Hexnode UEM supports:
- Status report: Devices instantly share any changes that occur, and the server updates the respective information in the device inventory.
- Password compliance: Devices share their password compliance status whenever it is changed.
- App installation status: The server receives real-time updates on the app installation status (pending, downloading, installing, installed, or failed). This feature is currently only supported for iOS/iPadOS devices.
- OS update status: Devices share the status of OS updates (pending, downloaded, installing, or failed) and errors during installation in real-time.
- Battery health: The Hexnode UEM server fetches battery health information from devices periodically and displays it on the Device Summary page of the respective device.
With DDM coexisting with MDM, device management is enhanced efficiently and operates smoothly with fewer delays.
Benefits of Declarative Device Management (DDM)
Declarative Device Management (DDM) enhances the way organizations manage Apple devices by making device configurations more efficient, reducing server dependency, and improving real-time updates. Here are some key benefits:
- Faster, real-time, and reliable updates
With DDM, devices manage many settings locally and notify the MDM server only when necessary, enabling faster updates with fewer disruptions. App installations, OS updates, and other settings are updated in real time, allowing administrators to instantly track their status, minimizing delays and improving overall reliability.
- Instant communication via the status channel
The introduction of the status channel allows devices to proactively report changes, such as software updates or compliance status, directly to the MDM server. This eliminates the need for frequent polling and ensures device inventory is always up-to-date.
- Improved user and admin experience
By reducing network traffic and server load, the autonomous updates ensure that users experience fewer interruptions while administrators gain better control with minimal effort.
- Lower complexity and bandwidth usage
Unlike traditional MDM, which relies on constant back-and-forth communication, DDM allows devices to automate policy enforcement on their own. By reducing the need for continuous server polling, DDM minimizes management complexity and lowers network bandwidth usage.
- Seamless integration with existing MDM
DDM is designed to work alongside traditional MDM protocols, allowing IT teams to gradually adopt new functionalities without disrupting existing workflows. This ensures a smooth transition to a more efficient management system.
- Future-proof management
Apple continues to expand DDM capabilities, introducing new features and enhancements over time. This means organizations using DDM will benefit from continuous improvements, keeping their device management strategies up to date.
By shifting control to the device and reducing reliance on the server, DDM revolutionizes Apple device management, making it faster, more reliable, and highly scalable.
