WWDC 2022: Apple Advances Declarative Device Management
Last year, at WWDC 2021, Apple introduced a new concept for Apple admins: Dubbed declarative device management (a.k.a. declarative MDM), it was an evolutionary advance of the MDM protocol. The declarative model is designed to push much of the management down to the device itself. Instead of a server polling a device for its status and issuing commands to it (as happens with the current MDM protocol), declarative device management lets the device react to its own state changes by applying management on its own.
This year, at WWDC 2022, Apple announced an expansive update to declarative MDM: Where the original iteration worked only on iOS and iPadOS devices with user enrollment, it will now work on all Apple platforms, including Mac and Apple TV, and with all enrollment types. It also added new status reports and improved syntax for rules that define how a device is to be managed.
How Declarative Device Management Works
The real attraction of the declarative model is that devices become more self-sufficient. At a minimum, this reduces the round-trip traffic—the constant polling for status and the issuing of commands—between an MDM server and a device. But it still allows that server to stay up to date on what’s happening at the device level because the devices themselves communicate back to the server when their status changes.
More importantly, declarative device management gives the admin greater confidence that devices are in the state they should be. That’s because, in the declarative model, the device evaluates its state itself. And if that state changes, it is empowered to apply new configurations in response.
The “declarative” part of declarative management refers to declarations the system can exchange with devices. Those declarations include:
- activations and predicates (changes the device can apply to itself and the conditions under which it will do so);
- configurations (which include accounts, settings, and restrictions);
- assets (data needed by configurations); and
- management (which can tell the device about its management state or the capabilities of the server).
These declarations work in concert with a status communications channel, which devices can use to tell the server about themselves proactively. So if you push a new passcode configuration to a device that requires users to create a more complex one, the device can report back to the server when a user does so. (For more details on how declarative MDM works, see our report on its introduction from last year’s WWDC.)
How Apple Has Updated Declarative Management
At WWDC 2022, Apple announced improvements to declarative management in three areas: Expanded scope, new status reporting, and enhancements to predicates—which are what give devices the intelligence to manage themselves.
Expanded Platform Support
When Apple announced declarative management last year, the company said it would initially be available only on iOS and iPad devices with user enrollment. The company is now expanding its support to the Mac and to Apple TV as well as to all other enrollment types.
Specifically, it will be supported on devices running iOS 16, iPadOS 16, Mac 13 Ventura, or tvOS 16. And it will be supported on devices that have been enrolled with Automated Device Enrollment, profile-based device enrollment (previously known simply as “device enrollment”), and user enrollment (which tvOS doesn’t support). It will also be available on Shared iPad running iPadOS 16.
New Status Reports
The update to declarative management will also give MDM servers a better understanding of the state of devices they’re managing, even as that state changes. It does so by expanding the kinds of status reports those devices send back to those servers.
Status reporting allows a device to share information about its current state; if there are any changes to that state, they'll be reported to the server without the server polling the device. The server subscribes to status reports from a device; the device itself then decides when to send them. Status will be reported quickly but not necessarily immediately—which is OK, because the device can take action on its own, triggered by status changes.
In the original iteration of declarative management, devices could send status reports detailing some device properties, such as hardware model and OS version. They can now also report on the presence and compliance of passcodes; accounts; and (for iOS and iPadOS) information about the state of MDM app installations.
So, for example, you could configure declarative management to send both a passcode policy and a Wi-Fi configuration to a device, and you could set it up so that the Wi-Fi config would not be activated until the device complies with your organization’s passcode policy. When the user adjusts the passcode so it’s in compliance, only then would the device activate the Wi-Fi configuration;—without waiting for the server to register that the passcode is compliant and then issue commands.
The account status reports cover eight account types for mail, calendaring, and more (CalDAV, CardDAV, Exchange, Google, LDAP, incoming mail, outgoing mail, and subscribed calendars). Note that they can only report on accounts installed via declarative configurations or MDM profiles.
Finally, for apps installed via MDM, the status reports can say whether an app is currently being installed, was installed successfully, or was removed by the user.
Enhanced Predicates
Activations are what give declarative management its intelligence. That intelligence is based on what Apple calls predicates, which determine whether or not the configurations referenced in the activation should be applied to the device. With this latest update to the declarative protocol, the syntax of those predicates has been expanded.
In particular, that syntax has been updated, so it's easier to detect the status of items. When the status of an item changes, the predicate logic kicks in and the device reevaluates all of its activations and their predicates. This allows a device management solution to preload configurations that will then stay dormant on a device, only to be activated when specific conditions are met.
The Road to Declarative Management
Declarative management is still evolving as a technology. Apple’s focus this year has been on expanding it from iOS and iPadOS in user enrollments only to all platforms and enrollment types. Since declarative management is backward-compatible with the existing MDM protocol, device management solutions can leverage these new features while maintaining their current capabilities.
The operating systems that support this latest iteration of declarative management won’t ship until the fall, and MDM vendors still need to assess when and how to implement these features. But it’s clear that the future of device management is declarative—which is good news for Apple admins and the users they support.
To learn more about the latest developments in declarative device management, check out the WWDC 2022 presentation on Adopt Declarative Device Management (requires an Apple developer account).
About Kandji
Kandji remains committed to bringing the latest Apple technologies to life to make admins' lives easier and more productive. With powerful and time-saving features such as zero-touch deployment, one-click compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.