Explore advances in declarative device management notes

https://developer.apple.com/wwdc23/10041

Previous sessions to refer to:

Adopt DDM (WWDC 2022): https://developer.apple.com/wwdc22/10046
Meet DDM (WWDC 2021): https://developer.apple.com/wwdc21/10131

Acronyms used:

MDM = Mobile Device Management
DDM = Declarative device management

Apple&#39;s focus now is now on DDM, with new protocol features being added to DDM going forward.


Update on platform support:

Both MDM and DDM now available for watchOS

Note: For more information, please see the &#34;Meet device management for Apple Watch&#34; session: https://developer.apple.com/wwdc23/10039

Focus is on core management features in the following areas:

* Enforcing software updates
* Managing apps
* Securing devices
	- Locking down system services
	- Monitoring background tasks
* Installing certificates and identity credentials
* New behavior to make transition of profiles from MDM to DDM easier.


New software update experience managed by DDM:

Platforms:

* macOS
* iOS
* iPadOS

Can enforce:

Software updates for a specified OS version and build at specified time

New status items which can report on:

* Software update status on a device
* Details of installation state
* Failures and the reasons for the failures

Example configuration workflow shown in the session video from 6:29 - 10:11.

DDM software update configurations can coexist with MDM software update commands.
	- Software updates enforced by DDM will take precedence over MDM commands or profiles

App management via DDM

DDM provides new options for app management:

DDM configuration can specify an app be available on a device at a desired time.
	- App can be sent to the device ahead of time, then made available when needed.
	- Administrators can switch between sets of apps as needed.
	- App can be shown to user without the app being installed, so that the user can choose when to install it.
		- Since user is choosing to install, no consent prompt appears.
	- Asynchronous reporting keeps the admin up to date on changes to managed apps on the endpoints.

Example configuration workflow shown in the session video from 12:58 - 17:39.

New &#34;Apps and Books for Organizations&#34; server API is available for use.
	- Replaces the existing contentMetadataLookup server API.


Using DDM for security compliance for macOS system services and background tasks:


DDM configurations can be used to specify sets of tamper-resistant system configuration files for different system services. 
	- Status can be used to monitor background tasks.

SSH mentioned as an example service which can be managed.

DDM predicates can enable compliance rules to be set and triggered using the device state. 

Example configuration workflow shown in the session video from 20:30 - 17:39.

Built-in services which can be managed:

sshd
sudo
PAM
CUPS
Apache httpd
bash
zsh

FileVault status can be monitored via DDM

Status item: diskmanagement.filevault.enabled
	- Returns a boolean value to indicate whether FileVault is enabled or not

This allows administrators to quickly verify that required tasks are running and that unwanted tasks are not running. 

DDM management of security certificates and identities


DDM can provide a more efficient mechanism than MDM for managing certificates and identities

- Certificates and identities can be defined as asset declarations
- Configurations can then reference those assets
- Multiple configurations can reference the same asset.
- Multiple assets can be referenced by a configuration

Status for certificates and identities can also be reported, allowing quick feedback when new identities are provisioned.

Example configuration workflow shown in the session video from 28:03 - 30:44.


DDM management of enterprise passkeys:


New enterprise passkey attestation configuration that can be used to securely generate a passkey for a user on a device when they visit any site specified by the configuration.

- Configuration references an identity asset, which is then used to perform a WebAuthn attestation of a generated passkey
- WebAuthn-relying service can then verify the provided attestation and allow access to the relevant sites.

This feature allows admins to restrict passkeys to specific devices

Platforms:

* macOS
* iOS
* iPadOS

Note: For more information, please see the &#34;Deploy passkeys at work&#34; session: https://developer.apple.com/wwdc23/10263

Details of how the MDM server and relying party work together to implement this flow can be found in the session &#34;Deploy passkeys at work.&#34; 


Mail and Exchange account DDM configurations have been updated to support S/MIME to bring feature parity with their MDM profile payload equivalents.

The DDM configurations can now reference identity assets that can be used for S/MIME signing and encryption.

Platforms:

* iOS
* iPadOS


Transitioning from MDM to DDM:


DDM is built into MDM and can be used in parallel with MDM to add new management capabilities. DDM also now supports taking over management of already installed MDM profiles without the need to remove them. 

To enable this: DDM server sends and activate a configuration that contains the same profile as one already installed by MDM. 
	- DDM configuration then takes over management of that profile without reinstalling or updating it. 
	- MDM is no longer able to make changes to that profile, DDM owns it from that point forward.

Platforms:

* macOS
* iOS
* iPadOS
* tvOS