I took notes during the "Explore advances in declarative device management" session. If interested, please see the attached "Notes from session":
Explore advances in declarative device management notes https://developer.apple.com/wwdc23/10041 Previous sessions to refer to: Adopt DDM (WWDC 2022): https://developer.apple.com/wwdc22/10046 Meet DDM (WWDC 2021): https://developer.apple.com/wwdc21/10131 Acronyms used: MDM = Mobile Device Management DDM = Declarative device management Apple's focus now is now on DDM, with new protocol features being added to DDM going forward. Update on platform support: Both MDM and DDM now available for watchOS Note: For more information, please see the "Meet device management for Apple Watch" session: https://developer.apple.com/wwdc23/10039 Focus is on core management features in the following areas: * Enforcing software updates * Managing apps * Securing devices - Locking down system services - Monitoring background tasks * Installing certificates and identity credentials * New behavior to make transition of profiles from MDM to DDM easier. New software update experience managed by DDM: Platforms: * macOS * iOS * iPadOS Can enforce: Software updates for a specified OS version and build at specified time New status items which can report on: * Software update status on a device * Details of installation state * Failures and the reasons for the failures Example configuration workflow shown in the session video from 6:29 - 10:11. DDM software update configurations can coexist with MDM software update commands. - Software updates enforced by DDM will take precedence over MDM commands or profiles App management via DDM DDM provides new options for app management: DDM configuration can specify an app be available on a device at a desired time. - App can be sent to the device ahead of time, then made available when needed. - Administrators can switch between sets of apps as needed. - App can be shown to user without the app being installed, so that the user can choose when to install it. - Since user is choosing to install, no consent prompt appears. - Asynchronous reporting keeps the admin up to date on changes to managed apps on the endpoints. Example configuration workflow shown in the session video from 12:58 - 17:39. New "Apps and Books for Organizations" server API is available for use. - Replaces the existing contentMetadataLookup server API. Using DDM for security compliance for macOS system services and background tasks: DDM configurations can be used to specify sets of tamper-resistant system configuration files for different system services. - Status can be used to monitor background tasks. SSH mentioned as an example service which can be managed. DDM predicates can enable compliance rules to be set and triggered using the device state. Example configuration workflow shown in the session video from 20:30 - 17:39. Built-in services which can be managed: sshd sudo PAM CUPS Apache httpd bash zsh FileVault status can be monitored via DDM Status item: diskmanagement.filevault.enabled - Returns a boolean value to indicate whether FileVault is enabled or not This allows administrators to quickly verify that required tasks are running and that unwanted tasks are not running. DDM management of security certificates and identities DDM can provide a more efficient mechanism than MDM for managing certificates and identities - Certificates and identities can be defined as asset declarations - Configurations can then reference those assets - Multiple configurations can reference the same asset. - Multiple assets can be referenced by a configuration Status for certificates and identities can also be reported, allowing quick feedback when new identities are provisioned. Example configuration workflow shown in the session video from 28:03 - 30:44. DDM management of enterprise passkeys: New enterprise passkey attestation configuration that can be used to securely generate a passkey for a user on a device when they visit any site specified by the configuration. - Configuration references an identity asset, which is then used to perform a WebAuthn attestation of a generated passkey - WebAuthn-relying service can then verify the provided attestation and allow access to the relevant sites. This feature allows admins to restrict passkeys to specific devices Platforms: * macOS * iOS * iPadOS Note: For more information, please see the "Deploy passkeys at work" session: https://developer.apple.com/wwdc23/10263 Details of how the MDM server and relying party work together to implement this flow can be found in the session "Deploy passkeys at work." Mail and Exchange account DDM configurations have been updated to support S/MIME to bring feature parity with their MDM profile payload equivalents. The DDM configurations can now reference identity assets that can be used for S/MIME signing and encryption. Platforms: * iOS * iPadOS Transitioning from MDM to DDM: DDM is built into MDM and can be used in parallel with MDM to add new management capabilities. DDM also now supports taking over management of already installed MDM profiles without the need to remove them. To enable this: DDM server sends and activate a configuration that contains the same profile as one already installed by MDM. - DDM configuration then takes over management of that profile without reinstalling or updating it. - MDM is no longer able to make changes to that profile, DDM owns it from that point forward. Platforms: * macOS * iOS * iPadOS * tvOS
For the session video, please see the following link: https://developer.apple.com/wwdc23/10041
Replies
1
Boosts
1
Views
936
Participants
2