Skip to main content

Apple Device Management - DDM Configurations

What

Declarative Device Management (DDM) is Apple’s modern device-management model. FileWave 15.5 introduced DDM Configurations and Assets; FileWave 16.4 expands the built-in configuration editors and adds JSON import and export for Apple declarations. DDM moves more state evaluation to the device, allowing supported Apple devices to apply declarations and report status without relying only on repeated server commands.

image.png

FileWave continues to add DDM editors as Apple publishes new declaration types. Existing screenshots on this page show earlier FileWave 16.x editors; labels and available declarations may differ in FileWave 16.4.

When/Why

Use DDM Configurations in FileWave 15.5 or later when you need to:

  • Modernize Device Management: Adopt Apple’s latest device management methodology to stay current with industry advancements.
  • Increase Efficiency: Allow devices to autonomously manage configurations, reducing reliance on constant server communication.
  • Enhance Scalability: Improve performance when managing large fleets, as devices handle more processing locally.
  • Improve Responsiveness: Devices can apply configurations and respond to changes more quickly without waiting for server commands.

This is particularly useful for organizations managing numerous devices, seeking to optimize performance and reduce overhead.

DDM Assets & Configurations are supported on devices running the following versions and above: iOS 15, iPadOS 15, macOS 12 Monterey.

Starting in FileWave 16.3.x, mixed DDM/MDM deployments are handled more cleanly. DDM Configurations are not Apple Profile Filesets, and Apple Profiles still install through MDM. Command Policy Filesets are also excluded from DDM installation and sent as their corresponding MDM commands during deployment.

Starting in FileWave 16.3.x, the Service Configuration Files editor includes additional built-in services: com.apple.cryptoTokenKit and com.apple.authorization.

How

To create and use DDM Configurations in FileWave 15.5 and later:

  1.  Create a Configuration:
    • Create a new Fileset and pick DDM Configuration from the Apple section. 

      image.png

  2. Configure the Configuration:
    • Pick the desired Configuration
  3. Reference a DDM Asset in DDM Configurations:
    • Some Configurations can reference Apple Device Management - DDM Assets. An example is the Account: CalDAV Configuration which can be fed credentials from a DDM Asset (configured with the DDM Asset Editor)

      image.png

  4. Automatic Dependency Handling:
    • When a configuration references an Asset, FileWave automatically manages the Asset as a dependency.
    • Deploying the configuration will also deploy the associated Asset to the target devices.
  5. Deploy to Devices:
    • Assign the configurations to your devices or device groups.
    • Monitor the deployment to ensure that devices receive both the configuration and the associated Assets.

FileWave 16.4 DDM configurations

FileWave 16.4 adds dedicated editors for several Apple declaration types. Create these as DDM Configuration Filesets and deploy them only to supported devices.

macOS 26 through 26.5 default-value issue: Apple devices can reject a DDM configuration when certain settings are explicitly included with their default values. Apple has been notified of the OS-level issue. When the default behavior is intended, leave the affected setting undefined instead of explicitly sending its default value.

Siri Settings

On supported iOS, macOS, and visionOS devices, administrators can enable or disable Siri, enforce profanity filtering, restrict Siri while the device is locked, and prevent Siri from generating user-provided content.

Migration Assistant Settings

On macOS 26.4 and later, administrators can manage Mac-to-Mac migration during Setup Assistant. The FileWave 16.4 DDM Configuration Editor exposes these controls:

  • Should Migrate Security Privacy Settings — controls whether Security & Privacy settings migrate. The editor shows a default of True.
  • Excluded Accounts — user account short names the system excludes from migration.
  • Excluded Paths — paths relative to the user’s home directory that the system excludes from migration.
  • Required Paths — paths relative to the user’s home directory that the system needs to migrate.

Use the + and controls to manage each list. Configure the mandatory General settings and resolve validation errors before saving. The device reports migration progress and completion status after deployment.

FileWave 16.4 Apple DDM Configuration Editor showing Migration Assistant controls for Security and Privacy settings, excluded accounts, excluded paths, and required paths
FileWave 16.4 Migration Assistant DDM configuration. This example has not completed its mandatory General settings, so the editor displays one validation error.

Keyboard Settings

On supervised iOS and macOS devices, administrators can manage auto-correction, predictive text, spell checking, Slide to Type, dictation, text replacements, definition lookups, and math-related keyboard suggestions supported by newer Apple operating systems.

Apple Intelligence Settings

On supported iOS, macOS, and visionOS devices, administrators can manage Writing Tools, Genmoji, Image Playground, Image Wand, Smart Replies, summarization, transcription, and other Apple Intelligence capabilities. Privacy-oriented controls can require supported services such as Dictation and Translation to use on-device processing.

The traditional MDM Restrictions payload remains available and is documented in Apple Profile: Apple Intelligence. Avoid managing the same setting through conflicting MDM and DDM declarations.

External Intelligence Settings

This separate declaration controls third-party AI services integrated with Apple operating systems. Administrators can allow or deny external intelligence providers, control sign-in with personal or organizational accounts, and restrict use to approved enterprise workspaces when Apple and the provider support that control.

Import and export DDM declarations as JSON

Starting with FileWave 16.4, DDM Configuration and DDM Asset Filesets can import and export Apple’s JSON declaration format. This allows administrators to deploy newly announced Apple declarations before a dedicated FileWave editor is available, modify imported declarations, back them up, and share reusable definitions.

  1. Create or open a DDM Configuration or DDM Asset Fileset.
  2. Use the editor’s Import action and select the Apple JSON declaration.
  3. Review validation results for malformed or incomplete content.
  4. Review imported Assets, Configurations, and their resolved dependencies before saving.
  5. Test the declaration on representative devices running the intended Apple OS versions before wider deployment.
  6. Use Export when you need an Apple JSON declaration for backup, review, or controlled reuse.

FileWave resolves related Configuration and Asset dependencies where possible. Unsupported or unknown declaration payloads are preserved during import and deployment rather than discarded, but preservation does not guarantee that a target Apple OS accepts or applies the declaration.

Protect exported Assets. A DDM Asset export can contain credentials, certificates, server details, or other sensitive configuration values. Store and share exported JSON accordingly.

Cellular downloads for DDM application installs

FileWave 16.4 supports Apple’s AllowDownloadsOverCellular setting for applications installed through Declarative Device Management on iPhone and iPad (iOS and iPadOS). Use the application’s DDM installation settings to choose how automatic installs and updates use cellular data:

SettingAutomatic installation or update behavior
Always OnApplications of any size may download over a cellular network.
Always OffCellular downloads are blocked; the automatic install or update waits for a non-cellular network.
Store SettingsThe device follows its App Store cellular-download settings.

User-initiated application installs or updates always follow the device’s App Store settings, regardless of the DDM value. This control governs automatic DDM delivery; it is not a universal cellular-data restriction.

Use Always Off where cellular cost or bandwidth is the primary concern, Always On where timely managed delivery is more important, or Store Settings when device-level user/organization policy should decide. Pilot the choice on a cellular-capable supervised device before broad deployment.

Fileset Status

Unlike Profiles, DDM configurations are deployed with one single DDM command, meaning the Client Info > Command History tab will not show individual events per DDM configuration delivered.

Starting in FileWave 16.3.x, Client Info > Fileset Status provides more detailed status information for multi-configuration DDM Filesets. For example, a Fileset such as Screen Sharing Configuration can contain multiple DDM configurations, and each one can now report its own status within the Fileset Status view. This makes it much easier to see which specific configuration succeeded or failed during deployment.

This detailed DDM status is shown in the same area used for Script status, because scripts and DDM configurations cannot coexist within the same Fileset. Single-configuration DDM Filesets are not changed by this behavior.

Likewise, when viewing the installed Profiles on a device, the DDM Configurations will not show as Profiles, but, instead, within the FileWave MDM Configuration Profile.  Accessing the Profile list from Settings of a device, open the FileWave MDM Configuration Profile and scroll down to Device Declarations:

image.png

In the above example, opening Global Settings should reflect the settings delivered by Apple DDM Configuration Filesets.  For example:

image.png

Digging Deeper

Declarative Device Management (DDM) represents a significant evolution in Apple’s device management strategy:

  • Device-Centric Management: Devices receive declarations of desired states and autonomously ensure compliance, reducing the need for continuous server commands.
  • Enhanced Performance: Offloading processing to devices improves performance and scalability, especially in large environments.
  • Improved Reliability: Devices can enforce configurations even when temporarily disconnected from the management server.

Key Benefits:

  • Reduced Server Load: Servers are less burdened with managing individual device states, as devices handle more tasks independently.
  • Faster Configuration Application: Devices can apply changes immediately upon receiving declarations, without waiting for additional instructions.
  • Proactive Compliance: Devices continuously ensure they meet the declared state, self-correcting if configurations are altered or removed.

Use DDM Configurations and Assets when Apple provides an applicable declaration and the managed device supports it. Keep traditional MDM Profiles for controls that do not yet have a suitable declaration.

Avoid conflicting MDM and DDM controls

Apple does not define a reliable outcome when multiple Profiles or declarations manage the same setting with different values. A result observed during testing—including an apparently more restrictive value winning—is not a supported precedence rule and can change across operating-system releases.

  • Choose one authoritative MDM or DDM workflow for each setting.
  • Review existing Profiles before deploying a new declaration that manages the same behavior.
  • Test policy transitions on representative devices before broad deployment.
  • Remove the old control only after the replacement declaration is confirmed active.

Do not rely on payload order or “most restrictive wins.” Design the policy so the device receives one intended value for each managed setting.