A Primer on Declarative Device Management for Apple Devices
provides a comprehensive management solution for iOS and macOS devices, supporting iOS and iPadOS 14 and later, and macOS 11 and later. With the ability to manage Corporate-Dedicated, Corporate Owned, or Employee Owned (BYOD) devices, Workspace ONE UEM offers enterprises the flexibility to meet their employees’ needs at any level.
At Apple’s Worldwide Developer Conference (WWDC) in 2021, Apple announced a directional shift in device management designed to improve the speed and efficiency of its MDM protocol. The new paradigm introduced was called Declarative Device Management (DDM). This tutorial will discuss this new paradigm as well as provide an overview of how VMware is adopting DDM in Workspace ONE UEM.
Purpose of This Tutorial
This tutorial will serve as an introduction to Apple’s new Declarative Device Management methodology and will discuss how Workspace ONE UEM is changing to incorporate this new paradigm in device management. Although the initial release of Declarative Device Management in Workspace ONE UEM is focused on iOS and iPadOS, some of the concepts in this tutorial will apply to macOS, watchOS, and tvOS as well.
This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.
Declarative Device Management
Apple’s Mobile Device Management (MDM) protocol for managing macOS and iOS devices has long been considered an imperative process. The requirement for the MDM servers to routinely poll devices for status, push changes to devices, and essentially “micromanage” the execution of every action or command on devices has long been the norm. This reactive management paradigm results in multiple round trips between the MDM server and the device, potentially creating performance bottlenecks when running at scale across thousands or tens of thousands of devices.
For example, an administrator creates an assignment to deploy an app to all corporate owned iOS devices being managed by MDM. Using the existing MDM protocol, the MDM servers would send the command to each device. Each device would return its own acknowledgment of the command. Then, the servers would poll each device to check on the status of the app installation. Each device would respond with a status update indicating that the app is installing. The server would again poll each device for a status on the app installation. This cycle would continue between each device and the servers until each device returns a status that states that the app has been installed.
This back and forth between the servers and a device may not seem like much. But consider for a moment the impact that these roundtrips to thousands of devices would have on the MDM servers.
Apple is always striving to improve their device management features and functionality, as well as optimize the performance and scalability of their MDM protocol. In 2021 at Apple’s Worldwide Developers Conference (WWDC), Apple announced a major paradigm shift in their MDM protocol. Apple calls this transformative update Declarative Device Management.
Declarative Device Management
Declarative Device Management (DDM) shifts the responsibility of policy management from the MDM servers to the device itself. Each device is autonomous and can apply management logic to itself in response to its own state changes. The device can proactively report any important state changes to the MDM servers, eliminating the need to constantly poll the device for status updates. A major benefit of Apple’s Declarative Device Management is that it is part of the existing MDM protocol and can function seamlessly side-by-side with the legacy MDM functionality. This means that a company’s existing legacy user and device profiles can co-exist with new DDM declarations and configurations. This co-existence can make the migration to DDM easier for IT admins as it allows for a granular shift toward the new paradigm as opposed to having to migrate all at once.
Apple’s goal with declarative device management is to provide an enhanced experience for managed device users, alleviate the repetitive tasks often performed by IT admins, and to allow devices to be the driver of their own managed state. This declarative approach to device management means that IT admins can be assured that their devices are in a desired state, and remain in a safe state that protects organizational data when connectivity to the MDM servers is lost. For device users, declarative device management offers a more responsive and reliable experience that includes faster onboarding and better organizational support.
DDM improves performance and scalability by reducing the number of roundtrip commands between the MDM servers and the device. Using the previous example of an app install, an IT admin creates a declaration to install an app to all corporate owned iOS devices being managed by MDM. Using the DDM process, the MDM servers would send the command to each device. Each device would return its own acknowledgment of the command. This is where DDM differs from the legacy MDM mechanism. The device will execute the installation command as specified by the server. Unlike our previous example, the MDM servers do not continually poll the device for an update on the installation progress. The servers will wait for the device to return an acknowledgment that the app has been installed.
Declarative Device Management Components
Declarative device management consists of three primary pillars, which are further discussed in this section.
- Declarations – The payloads that the server defines and sends to devices. Think of these as the existing profiles you currently use in your environment.
- Status – A communication channel used by the device to proactively update the MDM server with new information about itself.
- Extensibility – A mechanism built into DDM to allow devices and MDM servers to seamlessly support new features as they are released.
Declarations are the policies and configurations that your organization wishes to enforce on iOS and macOS devices. These can include, but are not limited to, email account configuration, passcodes, and restrictions. Like profiles, declarations are dictionaries that contain sets of keys and standard types for values that represent the payload to be applied to the device.
There are four types of declarations:
Configuration – Configurations represent the policies to be applied to the device. These are similar to current profile payloads.
Asset – This new concept with DDM provides ancillary data required by configurations. An asset references data, such as user identity or certificates. Assets can have a one-to-many relationship with configurations, meaning that a credential asset can be referenced by multiple configurations, avoiding the need to replicate the same information in each configuration.
Activation – An activation is a declaration sub-type that is used to determine when to “activate” a configuration on a device. Each activation can be configured with prerequisites or “predicates” that must be met for successful activation of any configurations associated with it. Activations and configurations can have a many-to-many relationship, and all activations associated to a configuration must evaluate to true for the configuration to activate. The MDM server will send all declarations for any device state, and the device will determine which ones to apply based on the activations. For example, an activation might include a predicate that states the OS version must be “iOS 17.” If the OS version does not meet that predicate, the device will not activate the associated configurations.
Management – A management declaration shares general information about the state of the device. This can include details about the organization or the capabilities of the MDM server.
Status, or more appropriately called the Status Channel, is the mechanism used by devices to proactively communicate any updates about their state to the MDM servers. The MDM servers subscribe to specific device attributes, such as serial number, OS version, UUID, and Managed App Install State. These subscriptions are communicated to the device, which then returns an initial status report. Then the device will send an update any time that the subscribed item changes. For example, the MDM server might subscribe to three status items: device operating system version, device type, and device model. The device will send its initial status for each of these items to the MDM server. In this case, the device reports that its operating system version is iOS 16. When the user upgrades the device to iOS 17, the device will report a status change for the operating system version to the MDM server. It will not report a status change for the other two subscription items because they have not changed. This reduces the amount of data sent between the device and the MDM server by eliminating the need to send redundant data that the server already knows.
Apple products are constantly evolving with new operating system versions and new hardware platforms. As new features are released, it is crucial that capability be maintained between differing versions of software, hardware, and MDM servers. With declarative device management, upgraded MDM servers and the devices advertise their supported capabilities so that each knows when it can take advantage of new features. These advertisements from the device include supported payloads, while the server reports its full capabilities through a management declaration. This way, the server can immediately take advantage of new features and payloads on devices.
In 2021, Apple initially announced declarative device management support for iOS/iPadOS 15 and later, with plans to expand that support to other Apple platforms and devices. At WWDC 2022, Apple added support for iOS/iPadOS 16, tvOS 16, and macOS Ventura, as well as making DDM available to all device enrollment types, including Shared iPad. These first two years were focused on developing the foundational elements of declarative device management.
In 2023, Apple added new features to declarative device management that include support for watchOS 10 and later, additional core management functionality, and new features for software updates, securing devices, managing apps and credentials, and transition profiles.
The following table outlines the supported versions of Apple platforms in declarative device management.
Ventura 13 and later
15 (user enrollment only), 16 and later (all enrollment types)
15 and later
16 and later
10 and later
NOTE: This list is valid as of the date the tutorial was published. Check with Apple for the latest supported operating systems.
Using Declarative Device Management with Workspace ONE
Since the initial announcement about Apple’s new declarative device management, VMware has been diligently working toward incorporating this new framework into Workspace ONE UEM. With the release of version 2306 in September of 2023, VMware announced support for declarative device management for iOS and iPadOS as a tech preview feature.
To accommodate the simultaneous usage of both Apple’s imperative MDM mechanisms and the new DDM commands, VMware has implemented a new workflow in the profile-builder user interface. The process for creating a new DDM configuration is similar to the way IT admins create an imperative profile. However, once you select your platform (in this case, iOS), you will see a new screen that offers the option to use Imperative management or Declarative management. If you select Imperative, you would then choose either Device or User context for the profile, and then proceed as normal.
This is where the process for configuring the two management types diverges. If the Declarative management type is selected, you are given the option to create an asset or a configuration. If you choose to create a configuration, you will also be given the option to select a context, either device or user.
The rest of the process is similar to creating an imperative profile. The screens for configuring required payloads and assigning Smart Groups will be familiar to IT admins who have experience configuring imperative device and user profiles.
The focus of this initial release is on declarations, the first of the three pillars in declarative device management. Specifically, Workspace ONE provides support for Configurations and Assets.
NOTE: This document will be updated as new supported DDM features are added to Workspace ONE UEM.
In this tech preview, Workspace ONE UEM supports all available DDM configurations for iOS and iPadOS. The following table outlines the newly supported configurations in Workspace ONE.
Configure a password payload to manage such settings as passcode complexity, maximum number of failed attempts, maximum passcode age, auto-lock settings, and others.
Deploy a CalDAV profile to allow end users to sync corporate calendar items.
Deploy a CardDAV profile to allow end users to sync corporate contacts.
Configure an LDAP profile to allow end users to access and integrate with your corporate LDAPv3 directory information.
Push calendar subscriptions using the native Calendar app in macOS to iOS devices by configuring this payload.
Configure devices to check into your mail server to sync email, calendars, and contacts.
| || |
Configure an email profile to configure email settings on the iOS device.
Enable an end user to use their Google account on their iOS device Native Mail application.
In this initial tech preview release, Workspace ONE UEM supports the User Identity Asset. This asset can be used to define a user’s full name and email address. This asset type takes the per-user data out of configurations and moves it into a smaller, dedicated asset-type declaration. This single asset type can be referenced by multiple configurations, eliminating the need to duplicate the same information across those configurations. Any required change to the user credential can be done on the asset only without the need to update the referencing configurations.
VMware plans to incorporate additional asset types in future releases.
Tech Preview Availability
Support for declarative device management is currently a Tech Preview feature in Workspace ONE UEM public SaaS environments, including CN135, CN137, and CN138. You can sign up for the Declarative Device Management tech preview on the VMware Anywhere Workspace Early Access™ Program portal .
Summary and Additional Resources
This tutorial provided an introduction to Apple’s new Declarative Device Management methodology and discussed how Workspace ONE UEM is changing to incorporate this new paradigm in device management.
Among the items discussed were:
- An introduction to Declarative Device Management.
- An overview of the three main pillars of DDM: declarations, status, and extensibility.
- How VMware is incorporating DDM into Workspace ONE UEM.
You may also wish to read these additional operational tutorials from macOS on VMware Tech Zone.
The following updates were made to this guide:
Description of Changes
About the Author and Contributors
This tutorial was written by:
Considerable contributions were made by the following subject matter experts:
- Paul Evans, Product Line Manager, VMware.
- Adam Henry, Senior Product Manager, VMware.
Your feedback is valuable.