---------- Mike S (Apple) Jun 8th at 3:01 PM Declarative device management is now available on all OS’s and with all MDM enrollment types. How will this help with your adoption of declarative device management? 1 reply Jesse 1 day ago Certainly just being able to test existing enrollments will be huge. Our org has no BYOD devices so the User Enrollment limitation was a big non-starter. :+1::+1::skin-tone-2: 3 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:06 PM @Jesse asked Will management declaration properties key-values (used for predicates) collide between the user and device channels? 1 reply Cyrus D (Apple) 1 day ago Management properties are always scoped to the channel that they are sent on, so there is no possibility of name collisions. :+1: 1 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:08 PM @Jesse asked The video showed a wonderful scenario of configuring WiFi for different buildings for different teachers. But, I don’t see a declaration for e.g. WiFI configuration. Is that coming? Will more systems-management-type declarations be coming? 7 replies Mike S (Apple) 1 day ago In the video, we showed using the legacy profile declaration to install WiFi. It's important to note that you can use existing profile types with declarative management. Please file feedback for which payloads you'd like to see migrated to declarative management first! :+1: 1 Mike S (Apple) 1 day ago Do you have specific ones in mind that you could mention here? Which payloads do you think would benefit from being in declarative management? Jesse 1 day ago see migrated to declarative management first well that gives hope Jesse 1 day ago I'd need to think about that, but the off the top of my head: OS updates would be huge. Especially if there were things like deadline dates. But of course the existing MaxDefferals and related stuff would be great, too. :arrow_up: 2 :+1::skin-tone-2: 1 Jesse 1 day ago It was amazing how UI status was being passed back on the status channel (prompting) for a managed apps. Jesse 1 day ago If we could get status channel updates on user actions for updates that'd be.. magical. Danielle D (Apple) 1 day ago Those are great candidates! It would be great to see that in feedback. ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:17 PM @Jesse asked For assets (or legacy profiles) — or really anything that needs to reach out to a URL — is there (or will there be) support for authenticating the device to that URL? Perhaps certificate pinning, OAuth, or even HTTP plain, just.. something? 5 replies Cyrus D (Apple) 1 day ago Right now assets are always fetched from the MDM server and use the MDM protocol device identity. Providing assets downloads from other services is certainly an option and we would appreciate your feedback on what types of service and authentication would be useful. Jesse 1 day ago Apologies if I missed it — is that documented anywhere? Does this need to match the ServerURL of the enrollment profile? More details please! :slightly_smiling_face: Cyrus D (Apple) 1 day ago You could use a dedicated endpoint at either the ServerURL or CheckInURL. The key thing is it should be the same host as those and be prepared to auth the device identity certificate as the TLS client cert. Jesse 1 day ago Will this respect and utilize the SignMessage key? Jesse 1 day ago (Again this is great but I'd love to see documentation on all this) :slightly_smiling_face: ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:17 PM @Nick asked What features can we expect for macOS with DMDM management? 1 reply Adam S (Apple) 1 day ago This year, where supported by the OS, the same set of declarations and status that are available on iOS are also available on macOS and tvOS. Are there features you’d like to see for macOS in the future? ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:18 PM @Jesse asked Can we have a declaration to set CFPreferences/MCX style preferences (in arbitrary app domains) on macOS devices? (filed previously under FB9204865). We currently do this with ‘legacy’ profiles. 8 replies Mike S (Apple) 1 day ago This is certainly something we can consider. What benefit do you see to having that particular payload converted to a declaration? :+1: 1 Jesse 1 day ago The same benefit as we use with the legacy profiles, I guess: being able to manage/enforce settings/preferences for the OS & app domains. Jesse 1 day ago As one example we configure Munki (and may, many other apps/tools) this way. Danielle D (Apple) 1 day ago We will look to convert payloads, but it is helpful to understand the priority for customers for conversion of payloads vs. new configurations. Jesse 1 day ago Sure. This is sort of why we suggested the CFPreferences domain (vs. pre-existing profile payloads) — it's arbitrary key-values. Let us decide what to convert over. :slightly_smiling_face: (edited) :+1::skin-tone-2: 1 Mike S (Apple) 1 day ago I see. I was thinking you meant the ManagedPreferences payload, which could be delivered using the legacy profile declaration today. Mike S (Apple) 1 day ago So it sounds like you're already using / aware of that. Jesse 1 day ago Well, yes, kinda of like ManagedPreferences. But we also (ab)use the PayloadIdentifier<->CFPrefernces link where we can just embed CFPrefs keys into an arbitrary PayloadIdentifier and it 'works' :slightly_smiling_face: ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:18 PM @Jesse asked Would it be possible to have a plugin-system for e.g. custom declarations with custom status updates? (filed previously under FB9204865) :+1: 1 1 reply Cyrus D (Apple) 1 day ago Thanks for the feedback. We have taken note of it. :+1: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:20 PM @Nick asked Could there be a method for an MDM Self Service app to monitor progress of app installation locally, instead of round-tripping through MDM server? 4 replies Max B (Apple) 1 day ago Good suggestion! Can you describe what you’d want the experience to be for the admin, and what you’d want to have happen on the device? Nick 1 day ago The MDM Self Service App be able to have the same kind of status as the Apple App Store for when it is being installed and finished installing. Andrew 1 day ago Similarly… I’ve been meaning to file feedback on the lack of OS-native visibility for progress or status on MDM-installed applications. (Is the VPP thing happening? What is its status? Is Office really going to download?) :heavy_plus_sign: 2 :+1::skin-tone-2: 1 Nick 1 day ago iOS MDM Self Service suffers because the MDM App can’t query the local device for status ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:26 PM @Nick asked What is the best way to monitor install progress for VPP apps? Particularly during macOS provisioning. (For example, Xcode) 2 replies Cyrus D (Apple) 1 day ago The new mdm.app status item can provide immediate feedback on the installation state of apps installed by MDM only. We do not report on the state of apps installed via other means or already present on the device. Note that this is currently limited to iOS and tvOS only. Please file a feedback request specifically for supporting this on macOS to help us track interest in that. :+1: 1 Andrew 1 day ago Holy cripes! Yes, macOS! ++++ ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:28 PM @Wylan asked Not a question, but just wanted to say thank you to the MDM team. Everything you've announced this year looks really exciting and powerful! :100: 4 :heart: 6 :pray: 1 :+1: 2 1 reply Danielle D (Apple) 1 day ago The engineering team has done a stellar job! We are so excited to bring you all the new Declarative Device Management features. (edited) :heart: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:30 PM @Jesse asked Will we have an Declarative Management ‘mdmclient’ simulator someday? Is MDM testing planned to ever be something we could simulate (preferably in a CI/CD type environment - i.e. command-line/code driven)? 11 replies Cyrus D (Apple) 1 day ago Can you provide feedback (either here or via feedback assistant) with examples of how you use mdmclient now in CI/CD flows? Jesse 1 day ago We don't right now. I created this https://github.com/jessepeterson/mdmb to test development of MDM servers, capabilities and load testing, though. GitHubGitHub GitHub - jessepeterson/mdmb: mdmb is a tool for simulating Apple devices interacting with Apple MDM servers. mdmb is a tool for simulating Apple devices interacting with Apple MDM servers. - GitHub - jessepeterson/mdmb: mdmb is a tool for simulating Apple devices interacting with Apple MDM servers. (49 kB) https://github.com/jessepeterson/mdmb :heart: 3 Jesse 1 day ago I'd love for Apple to provide us with tools to allow us to test MDM servers and protocols and such. Jesse 1 day ago Sort of the like the depsim and vppsim tools from days of yore. Cyrus D (Apple) 1 day ago What specific aspects of device management are you looking to verify? Basic protocol behavior (HTTP etc), actual payload behaviors? The later would be complex for sure. Jesse 1 day ago As much as is practical. But yes basic enrollment capability would be a start with full 'protocol level' support there. Agreed actual payload-specific behavior would be less important (in my eyes). Jesse 1 day ago Not a focus of this lounge I know, but we'd love to be able to put VMs into DEP to test ADE workflows. :100: 1 Jesse 1 day ago Or, even better — somehow be able to startup MacBuddy/SetupAssistant in a 'provision' mode to test those workflows heh. :+1: 1 Jesse 1 day ago (there are commands that can only be done in AwaitConfigured state — and that's a difficult thing to test in some cases as it requires a device re-provision) Jesse 1 day ago again, bit of a distraction Cyrus D (Apple) 1 day ago The new open source device management schema data does make it fairly easy to write tools that verify the compliance of MDM commands, profiles, and declarations (i.e., verify that required keys are present, they have the right value types etc). It would be interesting to see if the device management community is interested in building a set of common tools around that. (edited) ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:34 PM @Steven asked Are there any recommendations for how to migrate from OD binding to Platform SSO, e.g. any plans or specific steps we should consider? 1 reply Max B (Apple) 1 day ago We’re just focused on declarative device management for this lounge activity, but we’d suggest taking this to the general Device Management lounge tomorrow or to the 1:1 labs! ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:34 PM @Jesse asked How best can we provide feedback or feature requests for DDM? Is that Apple Feedback Assistant? Are there any keywords or things we should specifically mention? 1 reply Adam S (Apple) 1 day ago Feedback Assistant would be great! There is an Enterprise & Education section, where you can then choose Mobile Device Management from the area dropdown. 2 files image.png image.png :+1: 3 :heart: 1 ---------- ---------- Mike S (Apple) Jun 8th at 3:36 PM Question for the group: Declarative device management’s new management properties declarations lets you set arbitrary properties on the device to trigger activations via predicates. In our session we used a user’s roles (group membership) as an example. What types of properties do you see being used? (edited) 8 replies Blayn 1 day ago Supervised state would be helpful. To differentiate between BYOD and corporate owned - is that the sort of property you mean? Mike S (Apple) 1 day ago That's useful feedback -- a property that we could provide for you. But I was referring to the ability for MDM servers to push down their own properties that could then be used in predicates. Is there anything that you'd envision sending down to the device that would then be used in a predicate? Blayn 1 day ago group membership, for us, would be useful. While, similar to roles, it’s not the same. :white_check_mark: 1 Jesse 1 day ago It's great that it's arbitrary key-values. So we can do pretty much anything we want. :+1: 1 Jesse 1 day ago As you well noted in the video classifying a device in a 'protected' mode which would change the device's configuration stance/security posture is something we already do by other means. Jesse 1 day ago But yeah, all the normal stuff: locality (buildings/campuses), group membership, 'rolls'. Jesse 1 day ago I could envision like.. configuration tests and sharding (this set of configs get rolled incrementally) Jesse 1 day ago e.g. shard: 30 or whatever, and then you can guard predicates on that ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:41 PM @Anshuman asked What is the difference between the MDM currently being used and Declarative MDM? 4 replies Cyrus D (Apple) 1 day ago Declarative device management is a new paradigm for managing Apple devices that runs on top of MDM and is now supported on all OS's and all MDM enrollment types. Cyrus D (Apple) 1 day ago A great introduction to that is WWDC21's Meet Declarative Device Management video which you can access via the Developer.app from the AppStore. Max B (Apple) 1 day ago Available here! https://developer.apple.com/wwdc21/10131 Apple DeveloperApple Developer Meet declarative device management - WWDC21 - Videos - Apple Developer The future of device management is here: Learn how you can support mobile device management while allowing individual devices to be... (12 kB) https://developer.apple.com/wwdc21/10131 :+1: 1 Anshuman 1 day ago ok thanks! ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:43 PM @Jesse asked Less of a question and more of an ask: We'd like to see better FileVault-enabling/enforcing workflows. DDM would be a great candidate for that — especially status channel updates! 2 replies Mike S (Apple) 1 day ago That's great feedback! Can you elaborate on what status channel information you were looking for? Jesse 1 day ago FileVault enabled status (on/off) would be one, of course. Escrowed recovery key is the other obvious one, perhaps. I'd also like to know which users its enabled for, when it was turned on, and probably more. :slightly_smiling_face: :white_check_mark: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:46 PM @Shawn asked Is Apple going to provide anything to admins to easily convert configuration profiles to declarative management profiles or will MDM providers need to handle that? :raised_hands: 1 :eyes: 1 1 reply Cyrus D (Apple) 1 day ago We expect that will be up to MDM vendors to handle. There likely won't be a one-to-one mapping between profile keys and configuration keys, so a custom mapping will be needed. However, our new open source device management schema data (https://github.com/apple/device-management) , has machine readable versions of both profiles and configurations that should help with that process. GitHubGitHub GitHub - apple/device-management: Device management schema data for MDM. Device management schema data for MDM. Contribute to apple/device-management development by creating an account on GitHub. (54 kB) https://github.com/apple/device-management :heart: 2 :+1: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:48 PM @Wylan asked Are there any plans to make it possible to add macOS virtual machines to Apple Business manager for testing DEP enrollment flows? This process is much easier to test when you can rollback a VM to a snapshot instead of needing to wipe a physical test device over and over. :100: 3 :pray: 3 1 reply Danielle D (Apple) 1 day ago There is nothing to share about this at this time, but your feedback about this would be helpful. :+1: 2 ---------- ---------- Mike S (Apple) Jun 8th at 3:52 PM Question for the group: How do you envision using the new MDM app status information? Do you plan to use that information in predicates on the device, use it in business logic that still exists on the server, or simply surface the information to the admin? 2 replies Jesse 1 day ago App inventory is an obvious one. Inventory (especially version specific) is often tied to vuln scanning. So, automated security vulnerability scanning would be useful here. Granted this is most useful for all apps and not just those installed via MDM. :point_up: 4 Blayn 1 day ago This is an interesting question, especially since it’s been stated that only MDM issued installations and status are monitored, but managed app states are definitely something we rely on now for compliance - and there are conditionals based on that status - but also include apps and processes outside what is managed. Predicates activating on-device conditionally, potentially shift a lot of how those rules are written - honestly it’s kind of difficult to envision. I think we’re all eager to see implementation by our respective MDM vendors to make this more tangible. ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 3:59 PM @Christopher asked Is it possible to use a Activation predicate to trigger the installation of a MDM 1 profile via the LegacyProfile configuration object for MDM 1 profiles that aren't yet supported in DDM, ie.. DirectoryServices/802.1x/etc... 1 reply Cyrus D (Apple) 1 day ago Yes, that is absolutely possible! In fact, the whole reason for the legacy profile configuration is to make the declarative approach available for all existing MDM profiles, as we gradually migrate more of those to "native" declaration types. :+1: 2 ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 4:00 PM @Johan asked The MDM App status for app which are using VPP. This is troublesome with larger Apps like Xcode where VPP has historically been extremely unreliable. Have there been any improvements there to help drive this adoption? 6 replies Adam S (Apple) 1 day ago Is this a request to add app status for macOS or is there a specific issue with larger apps you’re seeing? Johan 1 day ago Is this a request to add app status for macOS In the presentation you mentioned that declarative device management was being extended to all management functionalities possible in macOS Ventura. This would make me assume the the MDM app status reporting would be included within this. Is that not the case? is there a specific issue with larger apps you’re seeing? This also is a problem, larger apps like Xcode fail to reliably install within reasonable timeframes and there is no user or admin facing feedback. Addressing both these concerns would be critical in driving adoption :100: 3 :wwdc22: 1 Johan 1 day ago Also specifically with Xcode, MANY developers have situations where they would like to have different versions of Xcode installed at the same time. eg. Xcode-12.4.app and Xcode-13.3.app This functionality and using Xcode installed via VPP is not possible. What would be the way of accomplishing workflow with this new VPP requirement to get app status feedback Mike S (Apple) 1 day ago MDM app status is currently available only on iOS and tvOS. :sob: 4 Jesse 1 day ago fwiw MDM installation of any app on macOS is so unreliable to be a non-starter for us at the moment. We defer to better tooling like Munki. As an FYI. :heavy_plus_sign: 1 Steven 1 day ago The developer site allows downloading arbitrary versions of Xcode, doesn't have to be part of the "primary" version installed via MDM ---------- ---------- Device Management - Ask a QuestionWORKFLOW Jun 8th at 4:05 PM @Christopher asked Is there a list predicates that the system exposes? 1 reply Cyrus D (Apple) 1 day ago Predicates use the NSPredicate syntax documented at https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Predicates/AdditionalChapters/Introduction.html. You can use any available status item as a key in a predicate or use any key from a management properties declaration. There are some examples of that in the video. developer.apple.comdeveloper.apple.com Introduction Describes how to specify queries in Cocoa. ----------