If your business uses Apple products, it’s very likely you also make use of its mobile device management (MDM) protocols to manage your fleet. Be forwarned, there are big changes coming with iOS 15.
Putting your device in control
Apple announced changes to its MDM system at WWDC 2021, introducing a new approach it calls “declarative management.” It’s designed to give each device more power and more responsibility, and replaces the server-heavy reactive MDM approach in use today (where a device is enrolled, profiles are downloaded, and appropriate action happens once the device confirms its status).
IT admins know that reactive MDM systems can strain management servers at certain times. With its autonomy, Apple’s approach helps reduce that workload and increases performance and scalability; it should make a particular difference when managing large fleets of Apple products.
As a result, the device becomes more autonomous and proactive, policing itself to ensure it maintains your company’s security and device policies. Under this model, the device doesn’t need to interrogate the MDM server for everything.
Check your MDM vendor for support
One thing it does require is that your MDM system supports Apple’s new approach. Most MDM solutions vendors have begun working with Apple’s new technologies and I anticipate many will be ready to roll with support for declarative management on the day the new operating systems are released.
Individual devices are still constrained by the MDM security policy, but can better assess some states rather than seeking help from the server. The devices will also proactively send updated information to servers as required.
A little on how it works
Explaining the system at WWDC, Apple described three main components. Developers and IT admins will want to go in depth with the feature on their developer channel, but a deeply simplified description of what is available follows:
Declarations: These JSON objects define policy and how the device should be configured. They manage device configuration, reference data, activations, and management functions. Your permission to request a new login password is set on the device, for example.
Status: This core tells the MDM server when a device changes, such as when iOS is updated. This module will let your system know once the device has updated that login password.
Extensibility: Both server and device tell each other when new capabilities are available, such as when an operating system upgrade is available and once it is installed.
Apple is still rolling out the different component declarations. Account, passcode and profile configurations are available now, as are two asset declarations for user ID and passwords.
Apple is also asking developers to think about how declarative management can best work with their solutions, or for their particular customer groups. It’s easy to see, for example, how device fleets in some industries might benefit from more powerful on-device autonomous MDM: shipping, exploration, underground, for example.
Not yet available for Macs
MDM developers, including Jamf, are already working with declarative management and will likely have something to introduce once iOS 15/iPadOS 15 appear.
One important thing to note is that Apple hasn’t yet made declarative management available for Macs. I think that’s only a step or so away, but might be reliant on use of systems with Apple processors (I don’t know for sure) — but it surely makes sense to add this kind of protection to Apple’s popular macOS devices.
Two additional improvements in MDM for Apple users in the enterprise will include Apple Configurator for iPhone, which lets you set up Macs for your MDM, and the capacity to erase all content and settings on Macs from within System Preferences. These enhancements will ship with the operating systems this fall.