Optimizing Apple DDM with Ivanti’s Latest Innovations
The explosion in devices—particularly Apple devices—deployed across a modern enterprise is increasing the already arduous device management burden on IT and cybersecurity teams.
According to recent research, 76% of large enterprises are using more Apple devices, and 57% of US firms say Apple adoption is outpacing other options. So, it’s become crucial for more enterprises to leverage Apple Declarative Device Management (DDM) to streamline device management, automate compliance and enhance scalability.
Apple's approach to DDM was introduced in 2021 and expanded with each OS release. It’s created a fundamental shift in device management, streamlining software updates and patching. Now, IT teams can define desired states so Apple devices can self-enforce configurations and updates locally, reducing reliance on servers and manual intervention.
Thus, updates can happen faster, errors can be minimized, and end-user experiences can be improved invisibly and proactively. Which appreciably eases IT workloads while sustaining security and operational agility.
Apple has recently updated its declarative device management to better support OS updates. Let’s explore how Ivanti's MDM and UEM products will enable admins to get the most out of Apple DDM.
What is declarative device management (DDM)?
DDM is an advanced approach to managing devices, primarily in enterprise or organizational IT environments. It empowers administrators to define a device or system's desired state and allows the system to automatically enforce and maintain that state.
The DDM model shifts away from traditional imperative management, where configurations and actions are centrally scripted and managed by IT administrators. That approach requires direct instructions to achieve the desired outcome on each device.
Key features and benefits of DDM
What are DDM’s advantages over a traditional device management model?
- Administrators can specify the desired state or behavior of a device, focusing on "what" it should look like instead of "how" to achieve that state. For example, rather than scripting individual commands for configuring security settings, an admin can simply declare the required settings and the system will enforce them.
- Devices autonomously monitor their configurations to ensure compliance with a predefined state. If a device deviates, it automatically corrects itself to restore compliance without manual intervention.
- DDM proves highly effective in large-scale settings since it minimizes the need for repetitive and manual configuration tasks.
- DDM minimizes the complexity of management workflows and ensures consistency across devices.
- DDMs employ modern management protocols for faster and more reliable updates to device configurations and policies.
- DDM is commonly implemented in cloud-based mobile device management (MDM) solutions, leveraging the cloud for synchronization, monitoring and enforcement, although it can also be implemented in on-prem solutions.
- DDM reduces manual effort by automating configuration and enforcement processes.
- Ensures consistency and compliance across devices, reducing the risk of human error.
- Dynamic updates means quicker application of policies and settings versus traditional methods.
- Changes are implemented seamlessly without disrupting the user experience.
An example DDM use case
In a hypothetical example, an IT administrator declares that all employee devices within the enterprise environment must:
- Have a specific version of the operating system.
- Enable encryption.
- Restrict access to certain applications.
Using DDM, these requirements are automatically applied, continuously enforced and remediated if there’s any deviation.
Software updates and OS patching via Apple DDM
Utilizing Apple Declarative Device Management for software updates and operating system (OS) patching seriously improves these processes, making them more proactive, efficient and seamless. It simplifies administration, cuts down on delays and guarantees a fleet of devices is always secure and up-to-date.
Software update benefits
Centralized control with distributed execution
- Administrators set configurations centrally but rely on the device's local capabilities for execution.
Proactive local enforcement
- Updates are enforced at the device level, eliminating the need for constant server intervention. Admins set a desired OS version and deadline, and the device autonomously ensures compliance.
- The device monitors itself, applying updates without the need for constant server communication.
Automation
- Admins can configure specific versions and deadlines and update schedules (e.g., after work hours), automating the process while minimizing end-user disruption.
- For example, a critical security patch can be scheduled for a particular time, ensuring all devices are updated without user intervention.
- If a device is powered off and misses the update deadline declarative management reschedules the update automatically for a later time.
User notification and experience
- Notifications begin 14 days before the deadline, reminding users to update at their convenience. On the deadline, the device automatically reboots and installs updates if necessary.
- Admins can customize these notifications or suppress early reminders (e.g., for retail or healthcare environments).
- Admins can configure the level of user interaction allowed by Apple DDM, such as permitting manual updates before the enforced deadline or limiting user deferrals.
Faster updates with reduced network dependency
- Unlike traditional MDM, where the server continuously checks device status, DDM reduces latency by shifting the compliance mechanism to the endpoint.
Enhanced status reporting
- Devices proactively report the status of updates to the server including whether an update is in progress, completed successfully or failed. In case of failure, detailed error logs are available.
OS patching benefits
Predicates for context-aware updates
- DDM allows conditional rules (predicates) for updates, such as only applying a patch when a device is charging or has a battery above 80%.
- These conditions are evaluated locally on the device, making updates context-sensitive and efficient.
Seamless transition to new OS versions
- DDM automatically manages the transition to new OS releases or security patches without requiring manual admin oversight at each step.
Local action without internet
- Devices can enforce configurations and patches even when offline, applying updates based on preloaded criteria and activating changes when conditions permit (e.g., when connected to power or during off-hours).
Another practical use case
In an organization with 1,000+ iPhones and MacBooks, a zero-day vulnerability requires immediate patching. The solution?
- The admin declares a patch deadline and target version using Apple DDM.
- Devices enforce the update based on local predicates, ensuring the patch is applied under optimal conditions (e.g., during low battery drain times).
- Users receive notifications prior to the update so they’re informed without interrupting workflows.
Ivanti’s declarative management support
Ivanti’s declarative management support builds on Apple’s Declarative Device Management (DDM) framework to offer a seamless, proactive and efficient approach to managing Apple devices. What are some of its key components?
Integration with Apple’s DDM framework
Ivanti utilizes Apple’s DDM as an enhancement to the existing Mobile Device Management (MDM) protocol – not a complete replacement but an additional layer designed to:
- Automate device responses: Allow devices to enforce configurations and policies locally, reducing reliance on the server for continuous checks.
- Enable real-time proactivity: Devices can autonomously apply updates or configurations when predefined conditions (predicates) are met.
Software update enforcement
Ivanti's platform supports Apple’s declarative software update management, which introduces:
- Enforcement settings: Administrators can specify OS versions, deadlines and update schedules.
- Proactive local actions: Devices monitor themselves and apply updates without requiring manual input or waiting for server-side triggers.
- Improved communication: Devices report their update progress, success or failure directly to the Ivanti management server, providing admins with real-time visibility.
Predicate management
A standout feature of Ivanti’s support is its handling of predicates – logical conditions that devices evaluate before applying configurations or updates. For example:
- A policy applies only if the device’s battery is above 80%.
- A configuration activates when the device is charging.
Simplified predicate management in Ivanti’s console
- Ivanti provides a dedicated interface for creating, managing and reusing predicates across configurations.
- These predicates can be easily applied to declarative configurations, streamlining complex workflows.
User experience and notifications
Ivanti enhances the user experience by leveraging Apple’s notification capabilities:
- Notifications can start 14 days before the update deadline, with options to tailor their frequency and content.
- Critical updates can override user deferrals by enforcing reboots and updates at the scheduled deadline.
Past-due handling
- If a device misses the deadline (e.g., turned off), Ivanti reschedules updates automatically ensuring compliance.
Supported configurations
- Ivanti ensures backward compatibility and a smooth transition to declarative management by supporting both legacy MDM and newer DDM configurations.
- Existing policies and workflows continue without disruption.
- Declarative configurations (e.g., predicates and local enforcement) are gradually integrated and highlighted within the platform.
Related: Watch the webinar Mastering Apple Device Management with Ivanti
Ivanti’s guidance for updating and patching Apple devices with declarative device management
Ivanti’s approach to supporting Apple DDM leverages the proactive capabilities of Apple's declarative management framework, combining it with a user-friendly interface, automation and support for complex enterprise workflows. This comprehensive guidance enhances enterprise device management efficiency and security.
Enforcing updates and patches
- Automated scheduling lets admins enforce updates by specifying the target OS version along with a specific date and time for the update to occur. This eliminates the need for manual updates and ensures compliance with organizational policies.
- Devices enforce update enforcement locally, applying updates based on preconfigured conditions without relying on continuous server communication.
Managing user notifications
- Notifications are sent to end users starting 14 days before the update deadline, providing transparency and encouraging users to update at their convenience.
- For specific use cases such as retail or healthcare, flexible notification configurations let admins suppress early notifications and opt for last-minute alerts to minimize disruption.
Improving compliance and visibility
- Devices proactively report their update status to the Ivanti server, reporting whether updates are in progress, completed successfully or failed. Administrators also gain access to detailed error logs to troubleshoot issues.
- If a device misses the deadline (e.g., if it is powered off), the device automatically reschedules the update for the next available hour.
Using predicates for conditional updates
- Administrators can define predicate logic for when updates should be applied.
- Since conditions are evaluated locally, updates can happen even when the device is offline.
- Ivanti provides tools for creating, managing and reusing predicates across configurations, making conditional updates simpler and easier to implement.
Enhancing user experience
- End users get clear communication about the update schedule, including the enforced deadline. They have the option to install updates manually before the deadline to avoid automatic enforcement.
- Updates can be scheduled during off-hours to minimize disruption of the user's daily activities.
Streamlining patch management
- Ivanti supports declarative patch management -Apple system updates.
- Administrators can enforce updates, including critical security patches, ensuring devices remain secure and compliant.
Related: Read our Knowledge Base article on How to enforce Apple Software Updates with Neurons for MDM and EPMM
A standout approach to supporting Apple DDM
Ivanti's approach to Apple Declarative Device Management stands out because it extends an organization’s automation, local enforcement and proactive capabilities.
Administrators benefit from user-friendly tools, customizable notifications and detailed status reporting, while end-user disruption is minimized through scheduled updates and seamless workflows. With Ivanti, Apple DDM becomes even more efficient, secure and scalable for the organizations that rely on it.
Related: A Guide to Apple Declarative Device Management for Enterprises