Apple's New Declarative MDM: What It Is, How It Will Help Mac Admins
At its 2021 Worldwide Developers Conference, Apple announced a significant advance in the MDM protocol. Dubbed “declarative MDM,” the technology promises to make device management more powerful than ever before. But what is it, and how will it help Apple-focused IT admins in their day-to-day jobs?
We’ll have to wait for Apple to release complete details about this protocol update in the months to come to completely answer those questions. But we can try to provide some preliminary answers based on what Apple announced at WWDC. We’ll look at:
- Why Declarative MDM?
- What Is Declarative MDM?
- How Does Declarative MDM Work?
- How Can I Take Advantage of Declarative MDM?
Why Declarative MDM?
Apple says that the MDM protocol we use today is “imperative and reactive,” meaning it’s very server-centric: An MDM solution can download profiles and software agents to managed devices, but the core of control resides in the MDM server that tells those profiles and agents what to do.
That model works fine, but it’s got some limitations: Management workflows can have time lags because they rely on round-trip communications between managed devices and the server. When you’re managing a large number of devices, those communications can become even more of a bottleneck.
What declarative MDM seeks to do is bring some responsibility for the management and implementation of policies down to the devices themselves. It will allow devices to be more autonomous—making decisions for themselves, as it were—and lighten the load on servers and communications channels. Devices will be able to react to their changes in state and implement management decisions by themselves.
Significantly, declarative MDM builds directly on the existing MDM protocol; it won’t require any major reengineering of existing MDM solutions and can, in theory, be smoothly slipstreamed into them.
What Is Declarative MDM?
Today’s MDM protocol depends largely on payloads that are delivered by specific communications channels to managed devices. Those payloads contain profiles and settings that are then triggered by messages sent by the MDM solution over those channels. Declarative MDM updates what can be included in those payloads and adds a new communications channel.
These new payloads replace profiles with what Apple calls “declarations.” They’re similar to profiles in the current MDM model: They consist of dictionaries with keys and values, representing the policies that you, as an admin, want to implement, and are delivered to managed devices as payloads. (One difference: Declarations are sent as JSON objects instead of plists.) But they can do more.
There are four types of declarations:
- configurations (accounts, settings, and restrictions, for example);
- assets (data needed by configurations);
- activations (changes the device can apply to itself as well as the conditions under which it will do so); and
- management (which can tell the device about its management state or the capabilities of the server).
The overall effect is that the server can send the declarations, and then the device itself can determine which ones to apply.
This new data system works in concert with a new status communications channel, which devices can use to tell the server about themselves proactively. For example, if you push a new passcode configuration to a device that requires users to take action—creating a new password, say—once the user has updated the passcode the device can report the change to the server instead of waiting to be asked.
Finally, declarative MDM is extensible. As Apple adds new features to it, they can be absorbed into existing MDM frameworks seamlessly. That’s important because it doesn’t mean replacing your current MDM solution with an entirely new one. Instead, devices and servers can tell each other what their respective capabilities are (via one of those management declarations), so they can start taking advantage of new features as soon as they’re both ready.
How Does Declarative MDM Work?
On a concrete level, a DeclarativeManagement command has been added to MDM. This command activates the declarative management features on managed devices. (Note that, once turned on, declarative management cannot be turned off; the server must remove declarations to disable it.)
Let’s say you have a device enrolled in your MDM solution. The server sends a push notification to the device, and the device responds with a ServerURL endpoint request, its status set to Idle. The server responds in turn with the DeclarativeManagement command. Upon receipt, the device activates declarative management and sends an acknowledgment to the server.
The device then asks for declaration items from the server, which replies with a manifest containing metadata about the declarations it wants that device to have. The device compares that metadata with the set of declarations it already has, determines which ones are new, have changed, or been removed. It then requests the new and changed ones. After the declarations are fetched, the device starts applying the policy changes they represent.
How Can I Take Advantage of Declarative MDM?
Support for declarative MDM will appear first in iOS 15 and iPadOS 15, both of which should be released this fall. It will also be available on devices only when the MDM enrollment type is a user enrollment—either the new onboarding flow being introduced with iOS/iPadOS 15 or the flow introduced in iOS 13.
Apple is rolling out declarations incrementally. Account and passcode configurations (the equivalent of MDM account and passcode profile payloads) are supported now, as are profile configurations (which let you install MDM-supported profiles to devices declaratively). Two types of asset declarations—user identity assets (representing a user’s contact information) and user credential assets (containing user IDs and passwords for user accounts)—are also live. They are supporting two types of management declarations: organization details and server capabilities.
Ultimately, you as an IT admin will have to rely on your MDM solution to realize the advantages of declarative MDM. That solution’s designers and engineers must implement the new powers granted them by declarative MDM before you can wield them. Rest assured that the Kandji team is already at work figuring out how we can take advantage of the new protocol to make your job easier.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.