Apple’s Declarative Device Management Availability in Workspace ONE UEM
Introduction
Apple’s Declarative Device Management (DDM), first introduced in 2021, represents a paradigm shift in managing Apple devices. Instead of the legacy imperative process where MDM servers routinely poll devices and “micromanage” every action and command, DDM shifts the responsibility of policy management from the MDM servers to the device itself. This makes the device more autonomous and able to apply management logic to itself in response to its own state changes.
With DDM, Apple has placed the onus of reporting state changes to the MDM servers on the device, hence reducing the repetitive polling that normally occurs between the device and the servers and improving performance and scalability. The device becomes the driver of its own managed state.
I’m not going to discuss the finer details of DDM in this post. For a deeper understanding of Declarative Device Management, you might want to check out A Primer on Declarative Device Management for Apple Devices on Omnissa’s Tech Zone. You can also find more information from Apple by reading Intro to Declarative Device Management and Apple Devices.
Declarative Device Management in Workspace ONE UEM
Although a Workspace ONE UEM Tech Preview feature in limited UAT tenants for some time, Declarative Device Management is now released in general availability with version 2406 and will become available to production tenants over the next few months. In this initial release, DDM support will be for managing iOS devices only. Management for macOS will be available in an upcoming future release.
Because DDM utilizes the same MDM protocol as Apple’s legacy device management, customers do not have to migrate their existing profiles right away. Both legacy profiles and DDM declarations can co-exist on devices. To accommodate this, we’ve added a new workflow in the profile-builder user interface. When creating a new profile for iOS, you will see a new screen asking you to select your Management Type, either Imperative or Declarative.
If you select Declarative, you then must select the Declaration Type. There are currently two declaration types supported in Workspace ONE UEM, Asset or Configuration.
In this initial release of DDM support, Workspace ONE UEM will support the following configurations:
| Configuration | Description |
| Passcode | Configure a password payload to manage such settings as passcode complexity, maximum number of failed attempts, maximum passcode age, auto-lock settings, and others. |
| CalDAV | Deploy a CalDAV profile to allow end users to sync corporate calendar items. |
| CardDAV | Deploy a CardDAV profile to allow end users to sync corporate contacts. |
| LDAP | Configure an LDAP profile to allow end users to access and integrate with your corporate LDAPv3 directory information. |
| Calendar Subscriptions | Push calendar subscriptions using the native Calendar app in macOS to iOS devices by configuring this payload. |
| Exchange | Configure devices to check into your mail server to sync email, calendars, and contacts. |
| Configure an email profile to configure email settings on the iOS device. | |
| Google Account | Enable an end user to use their Google account on their iOS device Native Mail application. |
Additionally, this initial release supports the User Identity Asset. This asset type takes the per-user data out of configurations and moves it into a smaller, dedicated asset-type declaration. This single asset type can be referenced by multiple configurations, eliminating the need to duplicate the same information across those configurations.
We are also hard at work with integrating the Software Update Enforcement configuration into Workspace ONE UEM and expect support for that to be released soon.
NOTE: Declarative Device Management is part of the new Workspace ONE UEM Modern SaaS Architecture, which is currently in the rollout phase to SaaS tenants around the globe. It will be introduced to your tenants in the coming months as the rollout proceeds. If you don’t see it in your tenant now, be patient. It will get there soon enough.
Summary
This initial release is only the beginning of our journey into Apple’s new MDM paradigm. With future releases of Workspace ONE UEM, Omnissa will add support for additional Declarative Device Management configurations, assets, activations, and management declarations, as well as support for macOS and watchOS.
Again, version 2406 is currently being rolled out. It may take a couple months to reach all the SaaS tenants.
And, with its existing support for sensors, scripts, application delivery, workflow automation, and much more, Workspace ONE UEM continues to be the MDM solution of choice for IT admins across the globe for managing Apple devices.