Kandji Announces Support for Declarative Device Management

Posted on November 3, 2022

Today Kandji is announcing first-in-the-market support for active Declarative Device Management (DDM) for supervised devices. Not only has Kandji enabled DDM, but we also support actively managing configuration declarations—one of the core technologies that powers DDM. 

With this first release, we've updated our Passcode library item to automatically use configuration declarations for iOS 16 and iPadOS 16 devices. But that's just the tip of the iceberg, the first step in a revolutionary transformation of the way mobile device management works on Apple platforms.

What Is Declarative Device Management?

Declarative Device Management is an entirely new device management architecture developed by Apple. With DDM, much of the decision-making in managing devices moves to the devices themselves. Devices can self-remediate gaps in configuration and inform the device-management server of any changes through a new status channel. This means device configurations and remediations happen faster, and there’s less back-and-forth communication between devices and the server. 

Declarative 1_edit

As Apple puts it, DDM “inspires more confidence that the device is in the expected state. And in the situations where it is not, that it is in a safe state that protects any sensitive organization data, even when connectivity to the server is lost.”  Apple smartly made DDM part of the existing MDM protocol that we’ve been using for more than a decade, so MDM and DDM can co-exist on the same device.

How Kandji Supports Declarative Device Management

When DDM was initially launched at WWDC 2021, it was available only on iOS devices that had been enrolled via User Enrollment. But this year, Apple expanded DDM to all of its platforms and all enrollment types, including Device Enrollment and Automated Device Enrollment. This has allowed Kandji to adopt DDM—and, starting today, enable it for macOS, iOS, and iPadOS.

In addition, newly enrolled devices running iOS 16 or iPadOS 16 that are managed with Kandji and have a passcode policy set via a Passcode library item will have that policy applied natively via DDM instead of legacy MDM profiles—with no extra steps required by the admin. Instead of sending a legacy configuration profile containing the passcode policy, we create a configuration declaration with the same policy.

MDM profile 3_shadow2

Our team built an entirely new, highly scalable architecture to support all core Declarative Device Management technologies: enrollment, declarations, and the status channel. As Apple makes more MDM profile payloads available as configuration declarations with full settings parity, we will adopt them quickly. While we are also enabling DDM for macOS Ventura, the macOS passcode declaration does not yet have full parity with the legacy profile-based passcode policy. As a result, we’ve chosen not to implement it at this time, but have filed feedback with Apple (FB11421887).

Apple announced at WWDC 2022 that declarative device management will be “the focus of future protocol features.” We’re excited to continue building on the foundation we’re announcing today as Apple releases additional DDM functionality in the months and years ahead.

Request access to Kandji today.

Share post

The Latest in Apple Enterprise Management