1. SimpleMDM Help Center
  2. Documentation
  3. Advanced Features

Declarative Device Management (DDM)

SimpleMDM now supports a number of aspects of Apple’s Declarative Device Management (DDM) protocol. This article covers the DDM components that are currently supported and what to expect.

Enabling Declarative Device Management

The declarative device management channel is enabled automatically on all eligible devices when they check in with MDM. Admins do not need to take any action to enable this.

Legacy MDM protocol functionality will continue to operate normally.

DDM Status Reports

When DDM is enabled on a device, the device will periodically send status reports back to MDM (without the MDM polling for this information). Status Reports provide the current device state with information about the device. Status Reports do not always include the full output of the device state - some reports are triggered by device state changes (such as an OS update), and only include limited information.

When SimpleMDM receives a status report from a device, a log entry will be created with the JSON output from the device.

Declarations (Configurations)

At the moment, the following DDM-specific configurations are available:

  • Managed Software Updates
  • Service Configuration Files
  • Software Update Settings
  • Safari Extensions Settings
  • Disk Management Settings
  • Background Task Management

Notes:

  • When a declaration has been installed, it will be displayed differently from profiles on the device itself. Rather than appearing as a separate profile under System Settings, it will be displayed under the top-level MDM profile details.
  • The profiles command will not return Declarations in the results.
  • Declarations are installed/moved to a tamper-proof location.

  • Only traditional/legacy custom configuration profiles are supported. Custom declarations (JSON payloads) are currently unsupported.

  • Existing legacy MDM profiles will be migrated to use DDM at a later date.

Service configuration files

Service configuration files are new configuration option that Apple supports for macOS 14+ devices that have DDM enabled. This configuration allows admins to configure and manage system services on macOS such as sshd, sudo, bash, zsh, etc. See Apple’s documentation for more information on Service Configurations.

To deploy a service configuration to a device:

  1. Make sure the target Macs are running macOS 14+ and have DDM enabled.
  2. Go to Configs > Profiles and click “Create Profile”.
  3. From the list, select “Service Configuration File”.
  4. In the “Service” dropdown, select one of the predefined services, or select “Other” to specify a different service. When selecting “Other”, you will need to enter the service identifier which should have a format like “com.apple.sshd”.
  5. Upload the service configuration file. This should be a zip archive with the directory - this can contain one or many files and should mirror the layout of the directory it replaces.
  6. Click “Save” when you are done and assign the configuration to your devices.

Testing service configuration files

  • Once assigned and installed on a device, you can check System Settings > Profiles > MDM Profile > Device Declarations > Profile Name on devices to verify the configuration was applied.

Managed Software Updates 

This new declarative configuration allows admins to schedule the enforcement of OS software updates by a specific date and time. Device users will receive period notifications to notify and remind them when the update will occur, with the option to update sooner if they choose.

Apple documentation for this feature is available here.

To create a Managed Software Updates profile:

  1. Make sure the target devices are running macOS 14+ or iOS/iPadOS 17+ and have DDM enabled.
  2. Go to Configs > Profiles and click “Create Profile”.
  3. From the list, select “Managed Software Updates”.
  4. Configure the settings as desired to enforce the specific update and enforcement date and time as needed.
  5. Assign the configuration to your devices/groups.

Managed Software Updates configuration settings explained 

SimpleMDM has built the Managed Software Update configuration with some additional logic to help you more easily control how and when software updates are enforced, without needing to repeatedly update the configuration when new OS versions are released.

  • Version (target operating system version): this is where you can select the OS version you want to enforce on devices. There are multiple modes available to choose from based on what best suits your needs. Options:
    • Latest Minor Version: Installs the latest minor and patch versions available (ex. 14.1 > 14.2.1), but does not install major upgrades (ex. 14.x > 15.0)
    • Latest Major Version: Always installs the latest major, minor, and patch version (ex. 14.1.2 > 15.1.1)
    • Minimum Specific Version: This option allows admins to select a specific OS version for both iOS and macOS to be enforced on devices. When selected, MDM will attempt to install the selected OS version. If this version is not available, admins can set a fallback behavior.
      • If Version Not Available: This option specifies what behavior the admin prefers if the specified OS version is not available. The options are:
        • Do No Install: If the selected version is not available, do not install the next available version (eg. do nothing).
        • Install Next Available Version: If the selected version is not available, install the next closest available version.
    • Latest Version Minus: This option allows admins to automatically enforce a specific version that is relative to the most recent version - eg. N-1. For example, if the offset is "N-1", 14.1.2 is the latest, and 14.1.1 is the previous version, installs 14.1.1. “N-2” would install 14.1.
  • Enforce By: This section is where admins can control the timing of the update enforcement.
    • Specific Date: This will enforce the selected update by a specific time and date.
      • Enforcement Date: The local date the update will be enforced.
      • Enforcement Time: The local time the update will be enforced.
    • Relative Date: This will enforce the selected update based on a date relative to the release date of the OS version.
      • Days After Public Release: The number of days following the official Apple release date for the specified OS version after which the update will be enforced on target devices.
      • Enforcement Time: The local time the update will be enforced, using relative days to determine the date.
  • Details Page URL: This is a custom URL that admins can set. On macOS, when users receive the prompt notifying them of the enforced update, an optional details link can be made available to allow end-users to click and get more information about the update. SimpleMDM does not set this automatically - admins would want to host their own web page to display any information they want to share with their end users.

 

Further Reading

For an overview on Declarative Device Management, check out our blog article.

Known Issues

Legacy DDM profiles fail to update on macOS 14.0. This should be resolved in macOS 14.1+. For macOS 14.0, the updated profiles will need to be removed and re-installed.

Hayley Solano
Updated

Related articles

Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.