Apple gave us a glimpse of its vision for the future of mobile device management (MDM) at its 2021 World Wide Developers Conference with the introduction of Declarative Management.
Apple’s mobile device management (MDM) protocol is an important part of managing and maintaining macOS, iOS, iPadOS, and tvOS devices at an organization. With nearly every new operating system release from Apple we see new features and functionalities added to the MDM protocol. As it currently stands, MDM is largely a reactive management approach: a device enrolls in a management service, the service pushes down profiles to define the desired state of the device, the device then reports back its status. It can take some jockeying back and forth for the server to confirm a device’s state and take action if necessary. When this back-and-forth happens with a large device footprint it can create a lot of strain on a management server.
The announcement of Declarative Management presents a substantial shift in Apple’s MDM philosophy. This new approach empowers the individual device to act more autonomously and proactively within the confines of policies from its management server. A device will detect its own state changes and take action based on defined criteria rather than waiting to hear back from the management server after phoning home. And instead of waiting for a recurring push for the server to learn about changes on a device, the device can proactively send its updated information directly to the server as needed. As a result, device information should be more accurate and reported back in a more timely fashion, and policies can be applied faster on a device to better maintain desired state.
Declarative Management is made up of three core data models: declarations, status, and extensibility.
Declarations are the payloads that define policy and desired state on a device. Declarations make up the policy an organization wants to define for a device. They are serialized as JSON objects (something worth noting as a change from the current use of plists) and have required properties that allow the policy to synchronize with the management server. Declarations come in four flavors:
Icons representing the different declaration types: configurations, assets, activations, and management.
Configurations: similar to what we currently use to apply settings and restrictions on devices (e.g., device passcode settings).
Assets: the reference data needed by a device for configuration. This data can be hosted by the management server or on a content delivery network (CDN).
Activations: the set(s) of configuration data that the device will automatically apply. Activations can refer to multiple configurations, resulting in a many-to-many relationship with devices. In a nutshell, activations will allow an MDM the possibility of sending all declarations for any device state to all managed devices, with the individual device determining what to apply. When device state changes, the device can take action autonomously without waiting for intervention from the management server.