How Apple is altering MDM in iOS 15


One of many largest enterprise additions to iOS 15 and iPadOS 15 is a big change to Apple’s MDM (cell system administration) protocol. Earlier MDM modifications primarily centered on including new administration, safety, or deployment options, extending what MDM might implement. Declarative administration, launched on the firm’s developer convention in June, is the primary change that modifies the protocol itself.

Whereas declarative administration will make its debut with iOS 15 and iPadOS 15, Apple mentioned it’s going to even be supported in macOS Monterey, although not straight away.

Apple MDM right now

Earlier than we get to what declarative administration is, let’s take a a quick recap of Apple’s MDM protocol because it has beforehand been applied.

Apple MDM encompasses a handful of various parts: configuration and provisioning profiles, the MDM service, and numerous MDM instructions.

Configuration profiles are strings of XML information which might be formatted as .plist information. These really predate Apple MDM and have been first launched in iPhone OS 2 alongside help for Alternate. These information can configure or limit a lot of the iOS expertise. They’ll even be used to preconfigure enterprise app settings if wanted. The contents of a profile are sometimes called a payload.

Provisioning profiles do exactly what the identify implies: they provision numerous certificates and different safety components which might be key to managed gadgets that allow them to attach with servers/companies which might be wanted to entry enterprise assets.

An MDM server/service is the glue that ties collectively the varied gadgets in an enterprise and assigns profiles to them. MDM can be used to to question gadgets for his or her present state and ship MDM instructions equivalent to requiring a brand new password, wiping company information from a misplaced system, or clearing a passcode when the consumer has forgotten it.

Polling gadgets for his or her standing is likely one of the huge issues that makes MDM work. MDM servers can question gadgets on an automatic foundation or on-demand. This polling, which may question for nearly each piece of system configuration after which ship updates to gadgets to satisfy compliance, requires plenty of bandwidth for the system and server/companies. One of many objectives of declarative administration is to get rid of this back-and-forth strategy.

The end result generally is a discount in server load and bandwidth for the system (and the community it’s linked to). It additionally impacts issues like bandwidth for apps and total battery life.

So what’s declarative administration? And why ought to I care?

Declarative administration pushes a lot of the dedication about compliance — and, to some extent, remediation from non-compliance — to the system. This offloads performance from the MDM server/service.

As a substitute of counting on the server polling to get a present system standing, gadgets at the moment are empowered to watch their very own system state and to proactively talk that to the server/service as wanted. They’ll additionally consider modifications to their system state and take acceptable actions, even when a tool is offline and can’t hook up with the administration companies or the web as a complete.

Goodbye plists, good day JSON

One distinction between conventional MDM and declarative MDM is how information is communicated and interpreted. Up until now, configuration profiles have existed as a .plist textual content information. Declarative administration drops that strategy in favor JSON objects.

Whereas this can be a change, most of those XML information strings are basically the identical regardless of the distinction in file kind. I count on that MDM distributors will make this transformation completely invisible to the admin.

Declarations in 4 sorts

Beneath the brand new system, declarations embrace 4 kinds of directives to managed gadgets: configurations, belongings, activations, and administration.

Configuration: Any such declaration aligns intently with configuration profiles in conventional MDM. The declarations designate the varied settings, restrictions, and different kinds of administration supported by Apple gadgets.

Asset: Any such declaration gives supporting info to gadgets. This consists of issues like consumer account info, safety certificates, and MDM-related service URLs. To some extent they operate like provisioning profiles in conventional MDM (usually used to deploy certificates).

One main benefit to belongings: as a substitute of putting in a number of certificates (or a number of cases of the identical certificates), an asset declaration could be utilized to a number of configurations. This could provide IT departments the power to streamline certificates administration; specifically, it ought to assist in deploying up to date certificates, since there will likely be fewer certificates that must be deployed.

Activation: Activations are basically guidelines (known as predicates) for when particular configurations or actions ought to happen. As a result of declarations are processed on-device, a tool will notice when its state has modified. It can then decide if the modifications have resulted in a state that meets the necessities of an activation (or if it not meets the state of an activation) and can proactively apply that activation and its associated configuration information in actual time.

One of many benefits to activations is that it’s attainable to push configuration information to a big swath of gadgets even when some gained’t apply to the entire gadgets on the time of deployment. Activations permit these configurations to be on-device however in inactive till a change in system state matches an activation and prompts the associated configuration.

Administration: Administration declarations are used to ship comparatively static info to gadgets. This consists of the capabilities of the MDM server or service. This info lets the system know what MDM and declarative administration capabilities can be found. This can probably turn out to be extra vital going ahead as Apple begins to roll out extra declarative capabilities and prolong them to gadgets apart from iPhones and iPads.


Alongside declarations, there’s a standing channel that MDM makes use of to make sure that the server is conscious of the system state. Since declarations apply modifications to the system state independently, it’s essential that there be a method for a tool to report its new state to the MDM server or service. This replaces conventional MDM’s must ballot gadgets periodically for his or her system state and ensures that system state information is updated in actual time.

The advantages of this are big, as a result of it releases plenty of the server and community load required to repeatedly ballot all of the gadgets in a company. It additionally has the potential to extend gadgets’ battery life, for the reason that quantity of information reported is minimized and solely occurs when a tool state modifications. And, as I famous, it has the potential to identify issues, equivalent to a tool that’s out of compliance or experiencing uncommon (and presumably suspicious) exercise, sooner as a result of the knowledge will get despatched instantly as modifications are made.


Extensibility refers to MDM’s means for gadgets and MDM servers/companies to report to one another what capabilities can be found. This could then set off actions, deploy payloads, and allow new capabilities — and all this could occur instantly.

For extra info, you may view the declarative administration deep dive from WWDC.

Transferring from conventional MDM to declarative administration

The most important query for IT round declarative administration is when (and the way) does this transition happen? The excellent news is that it truly is as much as every group if or when to undertake declarative administration. Apple appears to be planning a comfortable rollout of declarative administration — at first it’s going to solely be accessible to iOS 15 and iPadOS 15 gadgets underneath consumer enrollment (usually most popular for BYOD), and most declarations is not going to be initially accessible. As of this writing, for instance, solely account and passcode configurations are deliberate to be a part of the iOS 15 rollout. Assist for macOS Monterey is deliberate for a while sooner or later.

It’s additionally vital to appreciate that, for the second, declarative administration is non-compulsory. Ultimately, I count on we’ll see conventional MDM deprecated, however I believe that that will likely be a methods off sooner or later. Till then, conventional MDM will likely be supported alongside declarative administration. This must be a aid for many IT departments.

This can be a good time to start out enthusiastic about how your present MDM platform and your current coverage and profile portfolio will be capable to make the most of declarative administration and the place you’ll be capable to streamline administration utilizing declarations sooner or later.

This will even be a very good time to examine in along with your present MDM vendor to see what their plan is for supporting declarative administration and the way they count on it’s going to change the varied workflows of their merchandise. Going even additional, this might be a perfect time to take a look at different enterprise mobility distributors (see “With EMM, do you have to go full stack or better of breed?”) to see what their plans are and to reassess if you wish to proceed along with your present supplier.

Finally, declarative administration goes to return plenty of advantages and make Apple system administration a a lot less complicated and fewer network-intensive course of. There will likely be a studying curve and a few trial and error — for patrons, distributors, and Apple — however the path seems extraordinarily promising and even thrilling.

Copyright © 2021 IDG Communications, Inc.

Supply By