Declarative Device Management (Beta)

SimpleMDM now supports a number of aspects of Apple’s Declarative Device Management (DDM) protocol. This article covers the DDM components that are currently supported and what to expect.

Notes on the Beta Program

  • At the moment, this is only available to customers that opt-in to the beta program. If you are interested, please reach out to support.
  • If you are a paying customer and would like a separate dev account to test beta features in, you can create a new trial account and then contact support. They can convert it to a free dev account with a 5-device limit.
  • Declarative Management is currently supported in SimpleMDM for macOS 14.0+, iOS 17.0+, and iPadOS 17.0+.
  • We recommend testing DDM beta features on non-production devices - either in separate development accounts, or using separate device groups and profiles that are not being used for production. Make sure to test your workflows thoroughly before enabling on any production devices. Development account are available for free to paying customers. Contact support with any questions related to this.

Enabling Declarative Device Management

DDM currently can be enabled on a per-device group basis. To enable for a group:

  1. Navigate to the Group Details page.
  2. Check the box labeled “Enable Declarative Management”.
  3. This will enable the DDM protocol for all eligible devices within the group. Devices that join this group while this option checked will also have DDM enabled if they are running a supported OS version.

Note: Once enabled, legacy MDM protocol functionality will continue to operate normally.


Verifying DDM is Enabled

Once the DDM option has been turned on for a group, you can verify it was enabled on device level by:

  • Viewing the Device Details page - the “DDM” field will show “Yes” if enabled.
  • Viewing the logs - there will be an entry in the logs indicating the enabled event.


Disabling DDM

Once DDM has been enabled, if a device is moved to a different group, it will remain enabled. To disable DDM, the device will need to be unenrolled and re-enrolled into a group that does not have this option turned on.


Installing Profiles as Declarations

At the moment, custom profiles can now optionally be installed as declarative configurations.

To enable Declarations for a profile:

  1. Create the new profile and configure the settings as needed.
  2. Check the box labeled “Install as Declaration”.
  3. Save the profile and assign it to your devices.

Notes:

  • Only traditional/legacy custom configuration profiles are supported. Custom declarations (JSON payloads) are currently unsupported.

  • If the “Enable Declarative Management” option is toggled for a profile while installed on a device, the device will currently return an error. An installed profile cannot currently be updated and have its state changed - it must be uninstalled and re-installed.
  • Custom configuration profiles that contain account type payloads (like email, VPN, etc.) or passcode payloads will have these payloads silently ignored.
  • A migration path for existing profiles will be provided at a later date.
  • Currently, DDM-installed profiles are unencrypted.
  • When a profile has been installed a Declaration, it will be displayed differently on the device itself. Rather than appearing as a separate profile under System Settings, it will be displayed under the top-level MDM profile details.
  • The profiles command will not return Declarations in the results.
  • Declarations are installed/moved to a tamper-proof location.


DDM Status Reports

When DDM is enabled on a device, the device will periodically send status reports back to MDM (without the MDM polling for this information). Status Reports provide the current device state with information about the device. Status Reports do not always include the full output of the device state - some reports are triggered by device state changes (such as an OS update), and only include limited information.

When SimpleMDM receives a status report from a device, a log entry will be created with the JSON output from the device.


Suggestions for Testing

  • Create or designate a dedicated test group and enable Declarative Management for the group.
  • Create or clone some custom profiles to designate for testing and enable Declarative Management on those profiles.
  • Assign the test profiles to your DDM test group.
  • Assign a test device to this group and verify the profiles install.
  • Set the DDM test group to an enrollment as the “Initial device group”, and run through an enrollment on a test device to ensure everything works as expected. We recommend creating a separate enrollment for this if there are production devices in the account you are testing in.

New feature: Service configuration files

Service configuration files are new configuration option that Apple supports for macOS 14+ devices that have DDM enabled. This configuration allows admins to configure and manage system services on macOS such as sshd, sudo, bash, zsh, etc. See Apple’s documentation for more information on Service Configurations.

To deploy a service configuration to a device:

  1. Make sure the target Macs are running macOS 14+ and have DDM enabled.
  2. Go to Configs > Profiles and click “Create Profile”.
  3. From the list, select “Service Configuration File”.
  4. In the “Service” dropdown, select one of the predefined services, or select “Other” to specify a different service. When selecting “Other”, you will need to enter the service identifier which should have a format like “com.apple.sshd”.
  5. Upload the service configuration file. This should be a zip archive with the directory - this can contain one or many files and should mirror the layout of the directory it replaces.
  6. Click “Save” when you are done and assign the configuration to your devices.


Testing service configuration files

  • Once assigned and installed on a device, you can check System Settings > Profiles > MDM Profile > Device Declarations > Profile Name on devices to verify the configuration was applied.


Further Reading

For an overview on Declarative Device Management, check out our blog article.

DDM Beta Release Notes

11/8/2023

  • Service configuration files added.

11/7/2023

  • “Declarative Enabled” column added to profile assignment page.

10/18/2023

  • Resolved an issue where DDM-enabled profiles were not able to be updated on iOS/iPadOS.

10/17/2023

  • Added “Clone as DDM” option to custom profiles.

Known Issues

  • Legacy DDM profiles fail to update on macOS 14.0. This should be resolved in macOS 14.1+. For macOS 14.0, the updated profiles will need to be removed and re-installed.
  • Custom attribute updates do not currently trigger an update for DDM-enabled profiles. The profile itself will need to be re-saved.

Still have a question or want to share what you have learned? Visit our to get help and collaborate with others.