Apple declarative management introduces a shift from the traditional command-based model to a more autonomous and flexible framework. This approach aims to improve the efficiency and responsiveness of managing Apple devices.

The components of Apple declarative management — declarations, assets, predicates and status channels — work together to create a more efficient, scalable and responsive MDM framework. Declarations define the desired states; assets provide the necessary resources; predicates enable context-aware policy application; and status channels facilitate efficient communication.

By leveraging these components, Ivanti can offer more reliable and real-time management experience.

The shift to declarative device management

Let's explore the technical aspects of Apple declarative device management and its benefits for MDM users.

Traditional MDM operates on a command-and-control basis, in which servers send commands to devices to perform actions such as installing apps or enforcing policies. Devices then report their status back to the server, necessitating constant communication.

This frequent check-in process is needed for devices remain compliant with the organization's policies and that changes or updates are promptly applied. Without regular check-ins, administrators would have limited visibility into the device's status, making it challenging to verify compliance, deploy updates or address security issues in real-time.

Apple declarative device management utilizes a declarative format with which administrators define desired states and policies. Devices receive these declarations and autonomously enforce the desired state, reporting back to the server only when there is a change.

In this model, the device's operating system plays a critical role in making the device more autonomous. The OS continuously evaluates the current state of the device against the desired state defined by the declarations. If discrepancies are detected, the device will self-heal.

The OS independently applies the necessary changes defined in declarations and predicates to align with the specified policies. This autonomous evaluation and enforcement capability minimizes the reliance on server commands and allows for real-time adjustments, ensuring devices remain compliant even when offline or out of network range.

Key components of Apple declarative device management

Declarations

Declarations represent the desired state or configuration that an administrator wants to apply to devices. Declarations are sent to devices, which then interpret and autonomously enforce these states. The key features of declarations include:

  • Configuration definition: Administrators define configurations in a declarative format. This includes settings for Wi-Fi, VPN, device restrictions and more.
  • Autonomous enforcement: Devices interpret the declarations and apply the specified policies independently, without requiring continuous communication with the server.

Assets

In Apple Declarative Management, assets are resources used by devices to implement policies and configurations defined in declarations. These assets include certificates, data and user information.

Certificates are used for authentication, encryption and secure communication among devices and services. Administrators deploy digital certificates via declarations to enable secure access to corporate networks, email, VPNs and other resources. These certificates can be updated independently from the declarations, maintaining current security credentials without a complete policy overhaul.

Data consists of configuration files, scripts, binaries and content resources. Configuration files contain specific settings for applications or network configurations, while scripts and binaries automate tasks or add functionality. Content resources include branding materials or compliance documents. Managing data as assets allows for efficient updates and reuse across multiple declarations.

User information includes user profiles, preferences and roles within the organization. This information tailors device settings and permissions based on user roles. Dynamic data, such as location-based information or activity logs, ensures device configurations adapt to the user's current needs.

Assets are managed separately from declarations, allowing for efficient reuse and updates. When an asset is updated, all declarations referencing that asset can automatically apply the updated version.

Predicates

Predicates in Apple Declarative Management work as the conditional logic elements within declarations that define when and how specific policies should be applied to devices. Predicates are evaluated on the device itself, allowing for real-time, context-aware decision-making. They consist of logical expressions that can reference various device attributes and contextual information. When the conditions specified by a predicate are met, the corresponding policies or configurations within the declaration are enforced.

Predicates leverage the syntax and capabilities of the Cocoa programming language to define conditions under which specific policies should be applied. Cocoa predicates are expressions that evaluate a Boolean value, enabling complex logical conditions using attributes such as device type, OS version, network status and more.

Status channels

Status channels are communication pathways that devices use to report their state back to the server. Unlike traditional MDM, with which devices constantly check in with the server, status channels enable asynchronous and event-driven communication. Key features of status channels include:

  • Asynchronous reporting: Devices send status updates only when there is a change in their state or when specific conditions are met.
  • Efficient communication: This reduces the need for continuous polling, minimizing network traffic and server load.
  • Real-time monitoring: Administrators receive timely updates about the compliance and state of devices, allowing for prompt action if necessary.

Status channels ensure that administrators are informed of any deviations from the desired state, enabling proactive management and quick remediation.

Apple declarative device management in Ivanti UEM solutions

Ivanti keeps its products updated with the latest enhancements in the device management industry. Both our UEM cloud and on-premises solutions support declarative management.

Declarative device management is not a full replacement of the traditional MDM protocol. Therefore, solutions will present a hybrid approach, leveraging the best of both frameworks. Ivanti customers will see progressive and seamless integration of the new capabilities in our platforms as Apple also makes improvements to the framework with every new release of its operating systems.


Related Content

iOS Device Management solutions