DDM: A glorious dawn for Apple device management?

Since its introduction in 2021, Apple has always seen Declarative Device Management (DDM) as the future for device management on its platforms.

At this year’s WWDC, it told us that future has arrived, making DDM the primary framework with which to manage Apple devices and officially confirming plans to deprecate legacy MDM software commands. Bottom line: the transition to the more powerful DDM system is mandatory.

Some of the top-level DDM changes announced at last month’s developer’s event include:

DDM support across all Apple’s platforms, including iOS 26, macOS 26, iPadOS 26, tvOS26, visionOS26.

DDM’s ability to configure update deferrals, set enforcement deadlines, and to define the window in which updates must take place.

Status channel reporting in Apple’s DDM support, which means devices will report compliance with DDM requests automatically, reducing server-side load.

Underpinning the system is an idea that makes devices fundamentally more autonomous while also making them intrinsically more secure. It turns out the best way to securely manage endpoints is to help them do a better job of managing themselves. It also makes the user experience simpler, bringing the convenience of enterprise-scale protection in a consumer-friendly way.

The philosophy of Declarative Device Management (DDM)

It’s helpful to anyone who uses a managed device to understand the philosophy behind DDM — principally, that it empowers both the device and the end user and does so by simplifying the device management interaction and forcing the device itself to protect itself. More autonomous devices are more resilient devices.

Take a simple software update. MDM might inform a device that it should upgrade and then poll the device frequently to see whether the upgrade has taken place. While it might eventually be done, the device is pretty dumb in the interaction, and users, network access, or other obstacles could get in the way each time the request is made. 

With DDM (and forgive this slightly unnuanced layman’s articulation), the device is instructed to upgrade and will then be required to do so by a specific time. Then, rather than polling the device to nag it to conduct the upgrade, the device itself is forced to regularly report back on whether it has achieved the desired upgraded state. In this model, the device is made aware that it should upgrade and will upgrade itself at the first possible opportunity.

There are several advantages — management is more effective, network demands are reduced, and IT has a much better overview across the state of the corporate fleet. DDM is also more secure, as the onus of reporting turns to the device, which, in conjunction with improvements in identity and zero-trust, means IT enjoys a far more accurate picture of events, and devices become less likely to become attack vectors.

What difference does it make?

Apple’s growing cohort of device management partners (Jamf to Kandji, Mosyle, Fleet, Hexnode, Addigy and beyond) already understood Apple’s intention to move toward DDM, which means they are already introducing support for the improved DDM features Apple plans.

That means users who do migrate to DDM will get access to related enhancements Apple introduced at WWDC, such as version pinning for App Store apps alongside existing software update management. With a nod to the flourishing device management market, Apple is also introducing tools to make it easier to migrate devices between different MDM providers.

All these device management features are being enabled by Apple Business Manager (ABM) and Apple School Manager (ASM), both of which are critical to Apple’s enterprise push, and both of which have been improved drastically to enable new device management features. Organizations can actually prevent personal Apple IDs from signing into corporate-owned devices, even during setup, for example. 

Apple also introduced some new capabilities to help manage devices. These included new APIs to manage new attributes; one useful addition is support for users to request temporary privileges upgrades via their device management system. IT also gains better insight into AppleCare, Managed Apple IDs, and on-device authentication, which in itself promises highly secure yet-friction free device management. We’ve looked at some of these improvements previously. You should also find updates from your chosen device management service provider, which might be of help.

Defense is the sum of all the parts

When combined with enhancements to DDM, you’ll have a system that can securely distribute security, as well as autonomy, to endpoint devices. This effectively supersedes old perimeter defenses by transforming them into a networked, more intelligent system of equally well-defended nodes working together to maintain resilience. 

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.