Use declarative device management to manage Apple devices
Your organization can manage the state of a device—and maintain that state—by having devices independently apply configurations based on certain criteria. This management process, known as declarative device management, gives you new ways to enforce software updates, deploy configurations, and keep an up-to-date view across your managed devices. To make adoption simpler, the protocol has been added to the existing MDM protocol. (To learn what features of declarative device management are available for your devices, consult your MDM vendor’s documentation.)
Enable declarative device management
You enable declarative device management by sending a special MDM command to a device. For two Apple devices—Mac, and iPad devices offering Shared iPad—there’s support for multiple users, and you can also assign declarations to the user channel. To enable declarative device management on both the device and the user channel, you need to send a command to each.
For more information about Shared iPad, see Shared iPad overview.
Define configurations
Because the declarative device management approach is modular, it offers you great flexibility when defining a device’s configuration. Instead of using a one-to-one relationship—with one activation referring to a single configuration and potentially to a single asset—it uses a more efficient approach.
For example, an activation can group, at the same time, all the configurations that need to get applied. To avoid unnecessary repetition, you can use the same configuration in multiple activations. Just as with configurations, assets can similarly be used by multiple configurations. In addition, assets can be updated independent of related configurations. This autonomous approach reduces user impact because the configuration itself remains on the devices. It’s particularly useful when an account’s credential information needs to be updated while avoiding a full resync of associated data and retaining local user settings.
Transition to declarative device management
To help smooth the transition to declarative device management, the MDM protocol includes various functions. For example, you can embed existing profiles into a legacy profile declaration. Or you can have an MDM solution take ownership of an already deployed profile and migrate it into a legacy configuration declaration. In this way, you avoid removing an existing profile and replacing it with a configuration that could disrupt the user.
If the same setting is sent as an MDM profile and a declarative configuration to a device, the same rules apply as if the setting was delivered by multiple profiles. For example, if passcode policies are configured by a profile and a configuration, the policies are merged and the strictest settings are enforced.
Important: Software update and app configurations applied using declarative device management take precedence over the similar MDM commands.
Manually install declarations
For devices with iOS 17, iPadOS 17, macOS 14, visionOS 1.1, or later, organizations and MDM developers can perform tests by manually installing a profile containing declarations—from Settings (for iPhone, iPad, and Apple Vision Pro) or from System Settings (for Mac). You can use this option to install accounts, legacy profiles, passcode and screen sharing configurations, and certificates and identities.
Activation predicates
Declarative device management lets devices apply configurations independently based on certain criteria. The criteria are defined as logical conditions that work using predicates.
Activations can include optional predicates that determine whether the configurations referenced in the activation is applied to the device. For activation predicates, you can use available status reports and custom management properties. Your organization defines these custom management properties as integer, string, or Boolean values, or as arrays. An activation can make use of them to determine whether a certain set of configurations should be applied.
The benefit of activation predicates is in smart use cases, where devices can be preloaded with declarations, which automatically activate when the correct management property is sent by the MDM solution. This approach can help avoid complex grouping and scoping on the MDM side.
Software updates
Declarative device management can be used to manage updates in iOS, iPadOS, and macOS. It provides new options for when and how a software update or upgrade should be enforced. And users get additional information in Settings (iOS and iPadOS) and System Settings (macOS) when an update is requested and when it’s enforced.
Additional notifications are shown more frequently leading up to the enforcement date. To ensure that these notifications are displayed to the user, the Do Not Disturb feature is ignored 24 before an update is enforced—letting users This allows users to select the most appropriate time to perform the update. In case the user hasn’t installed the update before the enforcement date:
macOS force quits open apps and performs a restart if necessary.
iOS and iPadOS force the user to enter their passcode if one is set (unless it was provided earlier).
To initiate an update, the following new keys can be used:
TargetOSVersion and TargetBuildVersion: Defines the version to be updated to. If both keys are set,
TargetBuildVersiontakes precedence.TargetLocalDateTime: Defines the local time of the device when the update is enforced.
DetailsURL: Provides the URL of a webpage which can be used by the organization to provide more information and context about the update.
Using declarative status reports, MDM solutions can also get increased transparency about the status of the update—for example, waiting for, downloading, or installing the update. Meaningful error codes have been added in case an update couldn’t be performed or was unable to be completed. Some examples are if the device was offline, if the battery charge was too low, or if not enough free space was available.