Declarative Device Management and Managed OS

By Emalee Firestein

Learn how Managed OS leverages Declarative Device Management and what changes when it is used

About Declarative Device Management

Declarative Device Management (DDM) is Apple's next generation device management protocol. Kandji was first to market to support actively managing supervised devices with DDM in 2022, and since that launch, has continued to expand the usage of DDM throughout the product. Learn more about DDM on the Kandji blog.

At WWDC 2023, Apple announced software update management capabilities with DDM in macOS Sonoma, iOS 17, and iPadOS 17 and later. 

As of 11/29/23, Kandji uses DDM for Managed OS for macOS Sonoma, iOS 17, and iPadOS 17 and later.

DDM and Managed OS

DDM is used to manage software updates automatically; there is no additional configuration needed in Managed OS Library Items. When DDM is used, Kandji simply applies a "declaration" to devices with the required OS version and the deadline for enforcement; from that point forward, the respective operating system handles all end user notifications and the actual enforcement process.

Admin Experience

Library Item Configuration

Managed OS Library Items for macOS Sonoma, iOS 17, and iPadOS 17 separate the enforcement time zone option into its own section. This option now applies only to upgrades from older operating systems.

When DDM is in use, update enforcement always uses the device's local time zone. Kandji cannot change this behavior as it is set by the operating systems.

MDM Commands

Only a single MDM command for DeclarativeManagement is visible in the device's activity stream when new OS versions are released or enforcement timelines are changed. Individual AvailableOSUpdates and OSUpdateStatus commands are no longer run throughout the update lifecycle as they don't provide any information to Kandji when DDM is in use. 

Library Item Status

macOS, iOS, and iPadOS send updates proactively to Kandji about the status of OS updates. The operating systems, not Kandji, control the contents and granularity of these status updates. Kandji simply displays the updates as they are received. Kandji then maps various reported statuses to standard Library Item statuses, such as Downloading, Cached, Installing, Pass, and Error. 

User Experience

Please visit the User Experience with Managed OS for macOS and User Experience with Managed OS for iOS, iPadOS and tvOS articles for more information.

Deferrals

Users cannot defer enforced updates beyond their enforcement deadline an hour at a time like they could previously in Managed OS through the Kandji Agent; this is because the operating systems do not allow it. This means updates could happen during critical business tasks if users continuously ignore notifications and don't update their devices (though all notifications in the last 24hrs of enforcement ignore Do Not Disturb). Kandji cannot control this, but does recommend considering this important change when setting enforcement times in Managed OS. Also be sure to consider that all updates are enforced in device local time.

Troubleshooting

Who should I contact for help with Managed OS?

Check System Settings on macOS or Settings on iOS or iPadOS for the applied declaration. If it has the correct enforcement settings but users are not being notified properly, or updates are failing to install, please contact Apple support or send feedback to Apple through AppleSeed for IT. If devices are not receiving the correct declarations at all, or you have a general question about Managed OS, including how to configure it, please contact Kandji support.

Frequently Asked Questions

Why is Kandji using DDM to manage software updates going forward?

Using DDM to manage software updates on macOS Sonoma, iOS 17, and iPadOS 17 is the most reliable way to do so. It also brings a number of benefits like enforcement of updates in a device's local time zone, and notifications that are able to bypass Do Not Disturb in the last 24hrs leading up to enforcement.

How can I verify that Kandji has applied the correct declaration for Managed OS?

macOS: Open System Settings > Privacy & Security > Profiles > Double click on "MDM Profile" > Scroll down to "Device Declarations".

Once a declaration hits a device, users will be notified immediately that an update is scheduled. Depending on your configuration, this notification could happen weeks or months ahead of the enforcement date. 

iOS: Open Settings > General > VPN & Device Management > MDM Profile > Configurations

Can I continue to offer the previous Managed OS experience to my users?

No. Devices running macOS Sonoma, iOS 17, and iPadOS 17 and later automatically use DDM to enforce software updates.

Is Managed OS still supported on older operating systems where DDM is not used?

Yes. Kandji supports Managed OS for all supported operating systems.

What happens if the update is already cached and I would like to change the enforcement date/time?

When an update is already cached, and you want to push back the enforcement date, the enforcement date and time will be re-evaluated as immediately as possible with the next MDM check-in.

Where can I send feedback about the end user experience when DDM is in use?

Feedback about the end user experience when updates are managed with DDM, including the contents of notifications, their frequency, deferrals, or any other customizations should be sent to Apple through AppleSeed for IT.

Who should I contact for help with Managed OS?

Check System Settings on macOS or Settings on iOS or iPadOS for the applied declaration. If it has the correct enforcement settings but users are not being notified properly, or updates are failing to install, please contact Apple support or send feedback to Apple through AppleSeed for IT. If devices are not receiving the correct declarations at all, or you have a general question about Managed OS, including how to configure it, please contact Kandji support.