Apple Device Management - DDM Configurations
What
Device Declarative Management (DDM) is Apple’s modern approach to device management, introduced to enhance and eventually replace traditional Mobile Device Management (MDM) protocols. With FileWave 15.5, support for DDM configurations is now available, allowing administrators to manage Apple devices more efficiently. DDM shifts some management logic to the device, enabling it to proactively apply configurations and report status updates, reducing server load and improving scalability.
DDM options will be gradually extended over following FileWave versions, gradually providing a broader scope of offerings. The screenshots in this KB are from FileWave 16.x
When/Why
Implement DDM Configurations in FileWave 15.5 when you aim to:
- Modernize Device Management: Adopt Apple’s latest device management methodology to stay current with industry advancements.
- Increase Efficiency: Allow devices to autonomously manage configurations, reducing reliance on constant server communication.
- Enhance Scalability: Improve performance when managing large fleets, as devices handle more processing locally.
- Improve Responsiveness: Devices can apply configurations and respond to changes more quickly without waiting for server commands.
This is particularly useful for organizations managing numerous devices, seeking to optimize performance and reduce overhead.
DDM Assets & Configurations are supported on devices running the following versions and above: iOS 15, iPadOS 15, macOS 12 Monterey.
Starting in FileWave 16.3.x, mixed DDM/MDM deployments are handled more cleanly. DDM Configurations are not Apple Profile Filesets, and Apple Profiles still install through MDM. Command Policy Filesets are also excluded from DDM installation and sent as their corresponding MDM commands during deployment.
Starting in FileWave 16.3.x, the Service Configuration Files editor includes additional built-in services: com.apple.cryptoTokenKit and com.apple.authorization.
How
To create and use Configurations in FileWave 15.5:
- Create a Configuration:
- Create a new Fileset and pick DDM Configuration from the Apple section.
- Create a new Fileset and pick DDM Configuration from the Apple section.
- Configure the Configuration:
- Pick the desired Configuration
- Reference a DDM Asset in DDM Configurations:
- Some Configurations can reference Apple Device Management - DDM Assets. An example is the Account: CalDAV Configuration which can be fed credentials from a DDM Asset (configured with the DDM Asset Editor)
- Some Configurations can reference Apple Device Management - DDM Assets. An example is the Account: CalDAV Configuration which can be fed credentials from a DDM Asset (configured with the DDM Asset Editor)
- Automatic Dependency Handling:
- When a configuration references an Asset, FileWave automatically manages the Asset as a dependency.
- Deploying the configuration will also deploy the associated Asset to the target devices.
- Deploy to Devices:
- Assign the configurations to your devices or device groups.
- Monitor the deployment to ensure that devices receive both the configuration and the associated Assets.
Fileset Status
Unlike Profiles, DDM configurations are deployed with one single DDM command, meaning the Client Info > Command History tab will not show individual events per DDM configuration delivered.
Starting in FileWave 16.3.x, Client Info > Fileset Status provides more detailed status information for multi-configuration DDM Filesets. For example, a Fileset such as Screen Sharing Configuration can contain multiple DDM configurations, and each one can now report its own status within the Fileset Status view. This makes it much easier to see which specific configuration succeeded or failed during deployment.
This detailed DDM status is shown in the same area used for Script status, because scripts and DDM configurations cannot coexist within the same Fileset. Single-configuration DDM Filesets are not changed by this behavior.
Likewise, when viewing the installed Profiles on a device, the DDM Configurations will not show as Profiles, but, instead, within the FileWave MDM Configuration Profile. Accessing the Profile list from Settings of a device, open the FileWave MDM Configuration Profile and scroll down to Device Declarations:
In the above example, opening Global Settings should reflect the settings delivered by Apple DDM Configuration Filesets. For example:
Related Content
Digging Deeper
Declarative Device Management (DDM) represents a significant evolution in Apple’s device management strategy:
- Device-Centric Management: Devices receive declarations of desired states and autonomously ensure compliance, reducing the need for continuous server commands.
- Enhanced Performance: Offloading processing to devices improves performance and scalability, especially in large environments.
- Improved Reliability: Devices can enforce configurations even when temporarily disconnected from the management server.
Key Benefits:
- Reduced Server Load: Servers are less burdened with managing individual device states, as devices handle more tasks independently.
- Faster Configuration Application: Devices can apply changes immediately upon receiving declarations, without waiting for additional instructions.
- Proactive Compliance: Devices continuously ensure they meet the declared state, self-correcting if configurations are altered or removed.
By embracing DDM configurations in FileWave 15.5, organizations can achieve a more efficient, scalable, and responsive device management system that meets the demands of modern IT environments.
Conflicting Payloads:
Apple have not provided any alternate information, from MDM Payloads, regarding the experience if two DDM configurations are applied to control the same feature, but with differing settings. Please consider the following:
- Where MDM Payloads are concerned, Apple suggest the experience is undefined.
- Apple used to have an additional clause, suggesting that where restrictions payloads conflicted, the more restrictive setting would win (but this detail was removed from their documentation).
- It would be reasonable to assume that the same conditions apply to DDM.
For what it is worth, testing the conflict between MDM and DDM for a restriction provided the following result:
- Set differing macOS Software Update defer durations in both MDM and DDM payloads.
- Associate both.
- In each test, the most restrictive (greatest duration of days) appeared to always be applied.
- It did not matter if DDM or MDM was the more restrictive.
In would be sensible to avoid conflicts where possible, rather than rely on a tested experience.
No comments to display
No comments to display