DDM (Apple)

Declarative Device Management (DDM) is an advanced framework introduced by Apple to enhance the management of iOS, iPadOS, and macOS devices. Unlike traditional device management methods, DDM allows devices to proactively apply configurations and policies based on declarations provided by administrators or IT departments. These declarations define the desired state of the device, enabling it to autonomously enforce settings and make adjustments without constant communication with a management server. DDM can manage various aspects of device configuration, including account setups, security policies, app management, and compliance enforcement. By utilizing a more device-centric approach, DDM reduces network traffic and server load, allowing for more efficient and scalable device management. This framework provides organizations with a dynamic and responsive way to ensure devices remain configured correctly and adhere to organizational policies, even in changing environments or when devices are offline.

Apple Device Management - DDM Assets

What

DDM Assets let you define reusable values for Apple Declarative Device Management configurations. Use them for shared settings such as credentials, server details, certificates, or other data that more than one DDM configuration needs. Instead of copying the same value into each configuration, reference the Asset and update it in one place.

image.png

image.png

When/Why

Use Assets when multiple DDM configurations need the same value, when one update should flow to every configuration that references it, or when Fileset organization and permissions should control who can manage shared DDM data.

This is useful for standardized environments where many devices need the same settings, such as schools or organizations with shared Wi-Fi, account, certificate, or service configuration.

DDM Assets and Configurations are supported on devices running iOS 15, iPadOS 15, macOS 12 Monterey, or later.

How

To create and use Assets:

  1. Create an Asset: Create a new Fileset and choose DDM Asset from the Apple section.
  2. Configure the Asset: Define the reusable settings, such as credentials, server addresses, certificates, or other supported values.
  3. Reference the Asset in a DDM Configuration: Create or edit a DDM Configuration by creating a Fileset and choosing DDM Configuration from the Apple section. In settings that support Assets, add a reference to the Asset. For example, a CalDAV configuration can use authentication credentials from a DDM Asset.
  4. Deploy to devices: Assign the configurations that reference the Assets to your devices or device groups, then monitor the deployment to confirm that devices receive both the configuration and the associated Assets.

When a configuration references an Asset, FileWave manages that Asset as a dependency. Deploying the configuration also deploys the associated Asset to the target devices.

FileWave 16.4 JSON import and export

Starting with FileWave 16.4, administrators can import and export DDM Assets using Apple’s JSON declaration format. Imported Assets can be edited in FileWave and referenced by DDM Configurations just like Assets created with the built-in editor.

  1. Create or open a DDM Asset Fileset.
  2. Use Import to select an Apple JSON Asset declaration.
  3. Review validation results and inspect every imported value before saving.
  4. Confirm that dependent DDM Configurations resolve the intended Asset.
  5. Test the dependent Configuration on representative devices before broad deployment.
  6. Use Export to create JSON for backup, review, or reuse.

When imported Configurations and Assets reference one another, FileWave resolves the dependencies where possible. Unknown or unsupported declaration content is preserved instead of being silently removed.

Treat exported Asset JSON as sensitive. Assets can include credentials, certificates, account details, and service configuration. Review and protect the exported file before sharing it.

For configuration types, deployment behavior, the macOS 26 default-value issue, and JSON Configuration imports, see Apple Device Management – DDM Configurations.

Digging Deeper

Assets are most useful when a value is shared, changes occasionally, and should stay consistent everywhere it is used. Updating the Asset once keeps dependent configurations aligned without editing each configuration separately.

Permissions and Fileset organization also apply to Assets, so teams can manage shared configuration data with the same structure they use for other Filesets.

Apple Device Management - DDM Configurations

What

Declarative Device Management (DDM) is Apple’s modern device-management model. FileWave 15.5 introduced DDM Configurations and Assets; FileWave 16.4 expands the built-in configuration editors and adds JSON import and export for Apple declarations. DDM moves more state evaluation to the device, allowing supported Apple devices to apply declarations and report status without relying only on repeated server commands.

image.png

FileWave continues to add DDM editors as Apple publishes new declaration types. Existing screenshots on this page show earlier FileWave 16.x editors; labels and available declarations may differ in FileWave 16.4.

When/Why

Use DDM Configurations in FileWave 15.5 or later when you need to:

This is particularly useful for organizations managing numerous devices, seeking to optimize performance and reduce overhead.

DDM Assets & Configurations are supported on devices running the following versions and above: iOS 15, iPadOS 15, macOS 12 Monterey.

Starting in FileWave 16.3.x, mixed DDM/MDM deployments are handled more cleanly. DDM Configurations are not Apple Profile Filesets, and Apple Profiles still install through MDM. Command Policy Filesets are also excluded from DDM installation and sent as their corresponding MDM commands during deployment.

Starting in FileWave 16.3.x, the Service Configuration Files editor includes additional built-in services: com.apple.cryptoTokenKit and com.apple.authorization.

How

To create and use DDM Configurations in FileWave 15.5 and later:

  1.  Create a Configuration:
    • Create a new Fileset and pick DDM Configuration from the Apple section. 

      image.png

  2. Configure the Configuration:
    • Pick the desired Configuration
  3. Reference a DDM Asset in DDM Configurations:
    • Some Configurations can reference Apple Device Management - DDM Assets. An example is the Account: CalDAV Configuration which can be fed credentials from a DDM Asset (configured with the DDM Asset Editor)

      image.png

  4. Automatic Dependency Handling:
    • When a configuration references an Asset, FileWave automatically manages the Asset as a dependency.
    • Deploying the configuration will also deploy the associated Asset to the target devices.
  5. Deploy to Devices:
    • Assign the configurations to your devices or device groups.
    • Monitor the deployment to ensure that devices receive both the configuration and the associated Assets.

FileWave 16.4 DDM configurations

FileWave 16.4 adds dedicated editors for several Apple declaration types. Create these as DDM Configuration Filesets and deploy them only to supported devices.

macOS 26 through 26.5 default-value issue: Apple devices can reject a DDM configuration when certain settings are explicitly included with their default values. Apple has been notified of the OS-level issue. When the default behavior is intended, leave the affected setting undefined instead of explicitly sending its default value.

Siri Settings

On supported iOS, macOS, and visionOS devices, administrators can enable or disable Siri, enforce profanity filtering, restrict Siri while the device is locked, and prevent Siri from generating user-provided content.

Migration Assistant Settings

On macOS 26.4 and later, administrators can manage Mac-to-Mac migration during Setup Assistant. The FileWave 16.4 DDM Configuration Editor exposes these controls:

Use the + and controls to manage each list. Configure the mandatory General settings and resolve validation errors before saving. The device reports migration progress and completion status after deployment.

FileWave 16.4 Apple DDM Configuration Editor showing Migration Assistant controls for Security and Privacy settings, excluded accounts, excluded paths, and required paths
FileWave 16.4 Migration Assistant DDM configuration. This example has not completed its mandatory General settings, so the editor displays one validation error.

Keyboard Settings

On supervised iOS and macOS devices, administrators can manage auto-correction, predictive text, spell checking, Slide to Type, dictation, text replacements, definition lookups, and math-related keyboard suggestions supported by newer Apple operating systems.

Apple Intelligence Settings

On supported iOS, macOS, and visionOS devices, administrators can manage Writing Tools, Genmoji, Image Playground, Image Wand, Smart Replies, summarization, transcription, and other Apple Intelligence capabilities. Privacy-oriented controls can require supported services such as Dictation and Translation to use on-device processing.

The traditional MDM Restrictions payload remains available and is documented in Apple Profile: Apple Intelligence. Avoid managing the same setting through conflicting MDM and DDM declarations.

External Intelligence Settings

This separate declaration controls third-party AI services integrated with Apple operating systems. Administrators can allow or deny external intelligence providers, control sign-in with personal or organizational accounts, and restrict use to approved enterprise workspaces when Apple and the provider support that control.

Import and export DDM declarations as JSON

Starting with FileWave 16.4, DDM Configuration and DDM Asset Filesets can import and export Apple’s JSON declaration format. This allows administrators to deploy newly announced Apple declarations before a dedicated FileWave editor is available, modify imported declarations, back them up, and share reusable definitions.

  1. Create or open a DDM Configuration or DDM Asset Fileset.
  2. Use the editor’s Import action and select the Apple JSON declaration.
  3. Review validation results for malformed or incomplete content.
  4. Review imported Assets, Configurations, and their resolved dependencies before saving.
  5. Test the declaration on representative devices running the intended Apple OS versions before wider deployment.
  6. Use Export when you need an Apple JSON declaration for backup, review, or controlled reuse.

FileWave resolves related Configuration and Asset dependencies where possible. Unsupported or unknown declaration payloads are preserved during import and deployment rather than discarded, but preservation does not guarantee that a target Apple OS accepts or applies the declaration.

Protect exported Assets. A DDM Asset export can contain credentials, certificates, server details, or other sensitive configuration values. Store and share exported JSON accordingly.

Cellular downloads for DDM application installs

FileWave 16.4 supports Apple’s AllowDownloadsOverCellular setting for applications installed through Declarative Device Management on iPhone and iPad (iOS and iPadOS). Use the application’s DDM installation settings to choose how automatic installs and updates use cellular data:

SettingAutomatic installation or update behavior
Always OnApplications of any size may download over a cellular network.
Always OffCellular downloads are blocked; the automatic install or update waits for a non-cellular network.
Store SettingsThe device follows its App Store cellular-download settings.

User-initiated application installs or updates always follow the device’s App Store settings, regardless of the DDM value. This control governs automatic DDM delivery; it is not a universal cellular-data restriction.

Use Always Off where cellular cost or bandwidth is the primary concern, Always On where timely managed delivery is more important, or Store Settings when device-level user/organization policy should decide. Pilot the choice on a cellular-capable supervised device before broad deployment.

Fileset Status

Unlike Profiles, DDM configurations are deployed with one single DDM command, meaning the Client Info > Command History tab will not show individual events per DDM configuration delivered.

Starting in FileWave 16.3.x, Client Info > Fileset Status provides more detailed status information for multi-configuration DDM Filesets. For example, a Fileset such as Screen Sharing Configuration can contain multiple DDM configurations, and each one can now report its own status within the Fileset Status view. This makes it much easier to see which specific configuration succeeded or failed during deployment.

This detailed DDM status is shown in the same area used for Script status, because scripts and DDM configurations cannot coexist within the same Fileset. Single-configuration DDM Filesets are not changed by this behavior.

Likewise, when viewing the installed Profiles on a device, the DDM Configurations will not show as Profiles, but, instead, within the FileWave MDM Configuration Profile.  Accessing the Profile list from Settings of a device, open the FileWave MDM Configuration Profile and scroll down to Device Declarations:

image.png

In the above example, opening Global Settings should reflect the settings delivered by Apple DDM Configuration Filesets.  For example:

image.png

Digging Deeper

Declarative Device Management (DDM) represents a significant evolution in Apple’s device management strategy:

Key Benefits:

Use DDM Configurations and Assets when Apple provides an applicable declaration and the managed device supports it. Keep traditional MDM Profiles for controls that do not yet have a suitable declaration.

Avoid conflicting MDM and DDM controls

Apple does not define a reliable outcome when multiple Profiles or declarations manage the same setting with different values. A result observed during testing—including an apparently more restrictive value winning—is not a supported precedence rule and can change across operating-system releases.

Do not rely on payload order or “most restrictive wins.” Design the policy so the device receives one intended value for each managed setting.

Battery Health Inventory Field

What

FileWave 16.2.0 and later reports Apple’s Battery Health status in device inventory. Use it to find batteries that need service, devices that cannot report battery health, and hardware that reports a non-genuine battery.

The possible values are:

Apple provides this status item on iOS and iPadOS 17.0 and later and macOS 14.4 and later. Hardware support is limited to iPhone, specific iPad models, and Macs with Apple silicon. Other devices report Unsupported.

When/Why

Use this field during hardware audits, replacement planning, or troubleshooting when battery condition may explain poor runtime or unexpected shutdowns.

How

  1. Open FileWave Central and locate the target device.

  2. Navigate to the Client Info window.

  3. Select the Device Details tab (or search for “Battery Health” in the search bar).

  4. Review the reported Battery Health value.

    • For unsupported devices, the value will display as Unsupported.

    • Supported iPads and Macs will show one of the Apple-defined statuses.

Apple maintains the current list of iPad models that can report battery health. Check that list when a recent iPad still reports Unsupported.

FileWave Admin 2025-09-18 11.07.22.png

Smart Group Example: Devices Needing Battery Service

To automatically identify devices that require attention:

  1. In FileWave Central, create a new Smart Group.

  2. Add a filter with:

    • Property: Battery Health

    • Operator: equals

    • Value: Service-Recommended

  3. Save the Smart Group.

The Smart Group collects devices reporting Service-Recommended so you can plan repairs or replacements.

Digging Deeper

DDM Configuration - Restricting Math Results in Other Apps with FileWave

Restricting Math Results in Other Apps with FileWave

With iOS 18 and macOS 15, Apple introduced new controls for managing Math Notes and related behaviors across apps. FileWave allows you to configure these restrictions through the Apple DDM Configuration Editor.

image.png

Steps to Configure

  1. In FileWave Admin, go to:

    New Fileset → Apple → DDM Configuration:

    image.png

     

  2.  Search for Math Settings in the search bar > Configure. Under Math Settings, enable System Behavior by checking the box.

     

    image.png

     

     

  3. Leave the sub-options unchecked:

     

    • Keyboard suggestions include math solutions

    • Math Notes is allowed in other apps such as Notes

     

    ⚠️ Note: Checking Math Notes is allowed will enable sharing of math results across apps (e.g., in Freeform). Leaving it unchecked will restrict this.

  4. Save and deploy the configuration to a test device, then a test group, followed by all target devices.

Result

Once applied, Math Notes and related results will no longer be offered in other apps such as Freeform or Notes. Even though the device’s Settings > Freeform > Math Results menu may still display “Suggest Results,” no actual math solutions will appear.

This ensures students or end users can use core functionality of apps without unintended math assistance.

Background Tasks (DDM status - macOS)

What

FileWave has integrated Apple’s Declarative Device Management (DDM) capabilities to enhance the monitoring of background tasks on macOS devices. This new feature allows administrators to receive detailed reports on the background tasks that are present. The information provided includes the service identifier, the application path (e.g., /Applications/1Password.app), the status of the service (such as enabled or not registered), the type of service (application or login item), the user ID (UID) under which the service is running, and the code signature details.

By leveraging DDM, macOS devices can autonomously report this information without the need for constant server queries. This enhancement improves the visibility of background processes across your device fleet, aiding in compliance, security auditing, and troubleshooting efforts.

When/Why

This feature is particularly useful when there is a need to:

Why This Feature Matters

Understanding which background tasks are running on your macOS devices is crucial for maintaining a secure and efficient computing environment. Background tasks can have significant impacts on device performance, battery life, and security. Unauthorized tasks might access sensitive data or provide an entry point for threats. By receiving detailed reports on these tasks, administrators can take proactive measures to manage and secure their device fleet effectively.

The integration of DDM enhances this process by allowing devices to report their status autonomously. This reduces the need for frequent server polling, decreases network traffic, and provides up-to-date information without delays.

How

Enabling Background Tasks Reporting

To utilize this feature, ensure that your macOS devices are enrolled in FileWave and running macOS 12 Monterey or later, that DDM is supported on these versions and ensure the FileWave Client is at least v15.5.0. 

Accessing Background Tasks Data

Background tasks based on a launch daemon are now reported in Inventory for macOS devices supporting DDM, once the FileWave Client is up to date on a supported version of macOS. The below image shows an example of this inventory data.

image.png