Embracing the Future: Implementing Apple Declarative Device Management with Workspace ONE UEM

Embracing the Future: Implementing Apple Declarative Device Management with Workspace ONE UEM

Apple's Declarative Device Management (DDM) represents a significant evolution in how administrators interact with and manage their Apple fleets. Moving beyond the traditional, reactive MDM commands, DDM introduces a more proactive and intelligent approach, allowing devices to independently maintain desired states and report their status. This blog post will explore DDM and provide a step-by-step guide on how to implement it using Omnissa Workspace ONE UEM.

What is Declarative Device Management?

At its core, DDM empowers devices to manage themselves based on a set of declared states and configurations provided by the MDM solution. Instead of the MDM constantly polling the device or sending individual commands, the device receives a "declaration" of what its desired state should be. It then takes the necessary steps to achieve and maintain that state, reporting its progress and any deviations back to the MDM.

This architecture brings several key benefits:

• Proactive Management: Devices can react instantly to changes, such as a user modifying a setting that conflicts with policy, without waiting for the MDM to initiate a command.
• Reduced Latency: Fewer round trips between the device and the MDM server mean quicker enforcement of policies and faster updates.
• Improved User Experience: Policies can be applied more smoothly and in the background, with less disruption to the end-user.
• Enhanced Reporting: Devices provide granular reports on their compliance and configuration status.

Apple has openly shared its Declarative Device Management specification on GitHub, which provides a deep dive into the underlying architecture and capabilities: https://github.com/apple/device-management/tree/release

Declarations: The Building Blocks of DDM

DDM revolves around three primary types of "declarations" that are pushed to devices:

1. Configurations: These define specific settings, restrictions, or payloads that the device should apply. Think of them as the modern equivalent of traditional MDM profiles, but with DDM's enhanced intelligence.
2. Assets: Assets provide resources that configurations might need, such as certificates or identity information.
3. Activations: These combine configurations and assets, telling the device when and how to apply them. They define the desired state for a specific set of management requirements.

Omnissa Workspace ONE UEM and Declarative Device Management

Omnissa Workspace ONE UEM has embraced Apple's DDM capabilities, allowing administrators to leverage these advanced features within their existing management console. Workspace ONE UEM acts as the central hub for creating, deploying, and monitoring these declarations.

Prerequisites for DDM in Workspace ONE UEM:

Before you begin, ensure you meet the following requirements:

• Workspace ONE UEM Version: Declarative Configurations was in limited rollout in 2410 release and is now Generally Available from 2506 Patch 3
• iOS/iPadOS Version: Devices must be running iOS 16+ or iPadOS 16+ to support DDM.
• Enrolled Devices: Devices must be enrolled in Workspace ONE UEM.

Step-by-Step Implementation Guide

Let's walk through a practical example of implementing a DDM configuration using Workspace ONE UEM. For this example, we'll create a simple passcode policy using DDM.

Step 1: Navigate to Declarations in Workspace ONE UEM

1. Log in to your Workspace ONE UEM console.
2. Navigate to Resources > Profiles > ADD > Add Profile.

3. Select Apple iOS from the platform list.

4. Select DECLARATIVE from the Management Type and CONFIGURATION from the declaration type and DEVICE for Context. Click NEXT.

Step 2: Define Policy

1. Give the Configuration a name. example: “iOS – Passcode” in the Find Passcode policy and click ADD

2. You will see the Passcode Policy expand. Click Require Passcode and set your passcode requirements. Click NEXT

Step 3: Assign and Publish the Configuration

1. On the assignment screen, search for and select the Smart Group(s) to which you want to apply this DDM policy. Review the assignment and click SAVE & PUBLISH.

Once published, enrolled iOS/iPadOS 16+ devices in the assigned Smart Group will receive this DDM passcode declaration. The device will then proactively ensure that its passcode complies with the defined policy.

Monitoring DDM Policies

Workspace ONE UEM provides dashboards and device-level views to monitor the status of your DDM configurations. You can check individual device records to see if a DDM declaration has been successfully applied and if the device is compliant.

• Device Details Page: Navigate to a specific device's details page in the Workspace ONE UEM console. You should see information related to applied declarations and their compliance status.
• Compliance Dashboard: Workspace ONE UEM's compliance dashboards can be configured to report on DDM-driven compliance states.

DDM in Action: Advanced Scenarios (Beyond this Guide)

While our example focused on a simple passcode policy, DDM's true power shines in more complex scenarios:

• Automated Remediation: If a user disables a required setting, the device can automatically re-enable it without direct MDM intervention.
• Conditional Access: DDM can be integrated with conditional access policies, ensuring devices meet specific security postures before accessing corporate resources.
• Dynamic Configuration: Declarations can be structured to apply based on device characteristics or user roles, making management more adaptive.
• App Configuration: Imagine declaring that a specific app must have certain settings applied, and the device ensures this is always the case.

Conclusion

Apple Declarative Device Management, as implemented through Omnissa Workspace ONE UEM, offers a sophisticated and efficient way to manage your Apple ecosystem. By shifting intelligence to the device and empowering it to maintain desired states, administrators can achieve more robust security, better compliance, and a smoother user experience. As Apple continues to evolve its management frameworks, embracing DDM is crucial for any organization looking to stay ahead in device management.

Start exploring DDM in your Workspace ONE UEM environment today, and unlock the next generation of Apple device management!

Sources & Further Reading:

• Omnissa Documentation on DDM: https://docs.omnissa.com/bundle/ios-device-mgmtVSaaS/page/DeclarativeDeviceMgmt.html
• Apple's Device Management GitHub: https://github.com/apple/device-management/tree/release
• Apple Platform Deployment Guide (Declarative Device Management): Search for "Declarative Device Management" within the latest Apple Platform Deployment Guide for in-depth technical details.
• Various Tech Blogs & Forums: Searching for "Apple Declarative Device Management" and "Workspace ONE DDM" will yield many community-driven articles and discussions that can provide additional insights and use cases.