WWDC22: Apple brings declarative device management to the Mac?
Credit to Author: Jonny Evans| Date: Mon, 06 Jun 2022 08:11:00 -0700
More opportunities for engineers and developers to implement declarative device management solutions are likely to emerge at WWDC 2022, at least, according to MacAdmins.
Speaking during the pre-event podcast, speakers argue that Apple will eventually require that all mobile device management (MDM) providers introduce support for declarative management. Might this include bringing declarative device management to the Mac?
Apple first introduced declarative device management last year, largely for two reasons: to make devices more proactive, and to reduce the impact on MDM servers that handle large fleets of devices. This should boost performance and scalability.
“By sending declarations to the device and utilizing the status channel, that device becomes more autonomous and proactive. And your MDM solution will manage many facets of the device experience using the MDM protocol,” Apple’s developer notes explain.
The difference between standard MDM and declarative can be seen as follows:
When the MDM sends a command to the device, multiple interactions between the server and the device are needed to implement the change. Alternatively, the MDM system has to ask the device to update it on any changes made at the device end. The device does not monitor itself for important changes, and will not proactively contact the MDM system to let it know such changes have taken place.
Devices monitor themselves and can notify an MDM system when a change is applied. They can also deploy changes more swiftly with less interaction between the server and the device. In part, this autonomy also gives the device better protection when it is offline, or when the MDM server is unavailable. In effect, policies can be applied more swiftly and admins benefit from more accurate information concerning devices in the fleet.
At WWDC 2021, Apple introduced the first version of its Declarative Device Management protocol. This relies on Declarations, Status Channel, and Extensibility.
A Declaration is basically a policy decision given to the device. That can be for account settings or access to enterprise services, but can also be applied at a user or device level. You might deliver similar privileges to all your users, but assign specific individuals administrator rights from their device(s), for example.
Declarations can include device configuration, assets (such as usernames and certificates) and activations — policies that are applied to the device. Once a device has pulled all the declarations available to it from the MDM server, it will begin to apply any policy changes required to work within them.
At its simplest, MDM engines use this to poll devices for important changes, such as requesting a notification if a device upgrades its iOS version. This can then trigger assignment of additional policies to the device relevant to that newly installed operating system.
One good example of what extensibility means in the context of declarative device management could relate to a device’s operating system being upgraded. The device can let the MDM server know an update has taken place and the MDM can then assign a new policy that enables a new feature that might not have been supported before. An MDM might also be able to identify which devices have been upgraded to deploy any features newly available.
Developers can watch a WWDC 2021 session on declarative device management here.
We know Apple has already called declarative device management the “future of device management,” which implies the company will continue to invest in improving its existing system.
It also sends a very message to developers that they should prioritize their support for Apple’s system in the solutions they provide, or, in the case of clients, the MDM systems they choose to use.
Apple’s first iteration supported iOS devices, which itself implies the company intends on extending this to its other platforms, including the Mac. Mac integration makes complete sense, given Apple Business Essentials and the continued ascendance of Macs in the enterprise — but it does seem possible the feature will only be made available to Macs running an M-series Apple Silicon chip.
We’ll be watching WWDC22 later today to find out whether this turns out to be the case. Check back here later for all the keynote highlights for enterprise IT.
Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.