DDM (Apple)
Declarative Device Management (DDM) is an advanced framework introduced by Apple to enhance the management of iOS, iPadOS, and macOS devices. Unlike traditional device management methods, DDM allows devices to proactively apply configurations and policies based on declarations provided by administrators or IT departments. These declarations define the desired state of the device, enabling it to autonomously enforce settings and make adjustments without constant communication with a management server. DDM can manage various aspects of device configuration, including account setups, security policies, app management, and compliance enforcement. By utilizing a more device-centric approach, DDM reduces network traffic and server load, allowing for more efficient and scalable device management. This framework provides organizations with a dynamic and responsive way to ensure devices remain configured correctly and adhere to organizational policies, even in changing environments or when devices are offline.
- Apple Device Management - DDM Assets
- Apple Device Management - DDM Configurations
- Background Tasks (DDM status - macOS)
Apple Device Management - DDM Assets
What
In FileWave 15.5, a new feature called Assets has been introduced to enhance Apple’s Device Declarative Management (DDM). Assets are reusable components that can be shared among different configurations. They allow administrators to create common settings—such as user credentials, server information, or certificates—that can be referenced across multiple DDM configurations without duplication. This streamlines device management by centralizing shared elements, reducing redundancy, and simplifying updates.
When/Why
Use Assets when you need to:
This approach is particularly beneficial for organizations managing large numbers of devices that require consistent settings, such as educational institutions or enterprises with standardized environments.
Note: Assets and DDM configurations are supported on devices running: iOS 15 and later, iPadOS 15 and later, macOS 12 Monterey and later
How
To create and use Assets in FileWave 15.5:
- Create an Asset:
- Create a new Fileset and pick DDM Asset from the Apple section.
- Configure the Asset:
- Define the settings you wish to reuse, such as user credentials, server addresses, or certificates. In FileWave 15.5.0 we started with Authentication credentials and User identity as the first 2 options.
- Reference the Asset in DDM Configurations:
- Create or Edit a DDM Configuration: Create a new Fileset and pick DDM Configuration from the Apple section.
- In the configuration settings, add a reference to the Asset you created if the DDM Configuration supports it. An example is the CalDAV configuration which can include Authentication credentials from a DDM Asset.
- Automatic Dependency Handling:
- When a configuration references an Asset, FileWave automatically manages the Asset as a dependency.
- Deploying the configuration will also deploy the associated Asset to the target devices.
- Deploy to Devices:
- Assign the configurations that reference the Assets to your devices or device groups.
- Monitor the deployment to ensure that devices receive both the configuration and the associated Assets.
Related Content
Digging Deeper
Assets in FileWave 15.5 represent a significant step forward in device management efficiency. By centralizing common configuration elements:
- Consistency is Ensured: All devices referencing an Asset receive the exact same settings, reducing discrepancies.
- Simplified Maintenance: Changes need only be made once within the Asset, and all dependent configurations inherit the update.
- Organizational Control: Permissions and Fileset organization allow for structured management of Assets, aligning with administrative roles and responsibilities.
By leveraging Assets, administrators can reduce the complexity of managing multiple configurations, ensure uniformity across devices, and respond quickly to changes in shared settings.
Apple Device Management - DDM Configurations
What
Device Declarative Management (DDM) is Apple’s modern approach to device management, introduced to enhance and eventually replace traditional Mobile Device Management (MDM) protocols. With FileWave 15.5, support for DDM configurations is now available, allowing administrators to manage Apple devices more efficiently. DDM shifts some management logic to the device, enabling it to proactively apply configurations and report status updates, reducing server load and improving scalability.
When/Why
Implement DDM Configurations in FileWave 15.5 when you aim to:
- Modernize Device Management: Adopt Apple’s latest device management methodology to stay current with industry advancements.
- Increase Efficiency: Allow devices to autonomously manage configurations, reducing reliance on constant server communication.
- Enhance Scalability: Improve performance when managing large fleets, as devices handle more processing locally.
- Improve Responsiveness: Devices can apply configurations and respond to changes more quickly without waiting for server commands.
This is particularly useful for organizations managing numerous devices, seeking to optimize performance and reduce overhead.
Note: Assets and DDM configurations are supported on devices running: iOS 15 and later, iPadOS 15 and later, macOS 12 Monterey and later
How
To create and use Configurations in FileWave 15.5:
- Create a Configuration:
- Create a new Fileset and pick DDM Configuration from the Apple section.
- Configure the Configuration:
- Pick the Configuration you want to use. In FileWave 15.5.0 we started with Account: CalDAV, Passcode Settings, Screen Sharing Connections, Screen Sharing Host Settings, and Software Update Settings as the first configurations.
- Reference a DDM Asset in DDM Configurations:
- Some Configurations can reference Apple Device Management - DDM Assets. An example is the Account: CalDAV Configuration which can be fed credentials from a DDM Asset.
- Automatic Dependency Handling:
- When a configuration references an Asset, FileWave automatically manages the Asset as a dependency.
- Deploying the configuration will also deploy the associated Asset to the target devices.
- Deploy to Devices:
- Assign the configurations to your devices or device groups.
- Monitor the deployment to ensure that devices receive both the configuration and the associated Assets.
Related Content
Digging Deeper
Declarative Device Management (DDM) represents a significant evolution in Apple’s device management strategy:
- Device-Centric Management: Devices receive declarations of desired states and autonomously ensure compliance, reducing the need for continuous server commands.
- Enhanced Performance: Offloading processing to devices improves performance and scalability, especially in large environments.
- Improved Reliability: Devices can enforce configurations even when temporarily disconnected from the management server.
Key Benefits:
- Reduced Server Load: Servers are less burdened with managing individual device states, as devices handle more tasks independently.
- Faster Configuration Application: Devices can apply changes immediately upon receiving declarations, without waiting for additional instructions.
- Proactive Compliance: Devices continuously ensure they meet the declared state, self-correcting if configurations are altered or removed.
By embracing DDM configurations in FileWave 15.5, organizations can achieve a more efficient, scalable, and responsive device management system that meets the demands of modern IT environments.
Conflicting Payloads:
Apple have not provided any alternate information, from MDM Payloads, regarding the experience if two DDM configurations are applied to control the same feature, but with differing settings. Please consider the following:
- Where MDM Payloads are concerned, Apple suggest the experience is undefined.
- Apple used to have an additional clause, suggesting that where restrictions payloads conflicted, the more restrictive setting would win (but this detail was removed from their documentation).
- It would be reasonable to assume that the same conditions apply to DDM.
For what it is worth, testing the conflict between MDM and DDM for a restriction provided the following result:
- Set differing macOS Software Update defer durations in both MDM and DDM payloads.
- Associate both.
- In each test, the most restrictive (greatest duration of days) appeared to always be applied.
- It did not matter if DDM or MDM was the more restrictive.
In would be sensible to avoid conflicts where possible, rather than rely on a tested experience.
Background Tasks (DDM status - macOS)
What
FileWave has integrated Apple’s Declarative Device Management (DDM) capabilities to enhance the monitoring of background tasks on macOS devices. This new feature allows administrators to receive detailed reports on the background tasks that are present. The information provided includes the service identifier, the application path (e.g., /Applications/1Password.app), the status of the service (such as enabled or not registered), the type of service (application or login item), the user ID (UID) under which the service is running, and the code signature details.
By leveraging DDM, macOS devices can autonomously report this information without the need for constant server queries. This enhancement improves the visibility of background processes across your device fleet, aiding in compliance, security auditing, and troubleshooting efforts.
When/Why
This feature is particularly useful when there is a need to:
- Audit Background Tasks: Keep track of all background tasks running on macOS devices to ensure they comply with organizational policies.
- Enhance Security Monitoring: Identify unauthorized or malicious background tasks that could pose security risks.
- Troubleshoot Issues: Diagnose problems related to application performance or system stability by analyzing running background tasks.
- Compliance Verification: Ensure that required tasks are running and that unnecessary ones are disabled, aligning with compliance standards.
Why This Feature Matters
Understanding which background tasks are running on your macOS devices is crucial for maintaining a secure and efficient computing environment. Background tasks can have significant impacts on device performance, battery life, and security. Unauthorized tasks might access sensitive data or provide an entry point for threats. By receiving detailed reports on these tasks, administrators can take proactive measures to manage and secure their device fleet effectively.
The integration of DDM enhances this process by allowing devices to report their status autonomously. This reduces the need for frequent server polling, decreases network traffic, and provides up-to-date information without delays.
How
Enabling Background Tasks Reporting
To utilize this feature, ensure that your macOS devices are enrolled in FileWave and running macOS 12 Monterey or later, that DDM is supported on these versions and ensure the FileWave Client is at least v15.5.0.
Accessing Background Tasks Data
Background tasks based on a launch daemon are now reported in Inventory for macOS devices supporting DDM, once the FileWave Client is up to date on a supported version of macOS. The below image shows an example of this inventory data.
