Learn how Managed OS leverages Declarative Device Management, and what changes when it is used
About Declarative Device Management
Declarative Device Management (DDM) is Apple's next generation device management protocol. Kandji was first to market to support actively managing supervised devices with DDM in 2022, and since that launch, has continued to expand the usage of DDM throughout the product. Learn more about DDM on the Kandji blog.
At WWDC 2023, Apple announced software update management capabilities with DDM in macOS Sonoma, iOS 17, and iPadOS 17 and later.
As of 11/29, Kandji uses DDM for Managed OS for macOS Sonoma, iOS 17, and iPadOS 17 and later. The information below describes the behavior, to help organizations understand the important differences for both admins and end-users.
DDM and Managed OS
DDM is used to manage software updates automatically; there is no additional configuration needed in Managed OS Library Items. When DDM is used, Kandji simply applies a "declaration" to devices with the required OS version and the deadline for enforcement; from that point forward, the respective operating system handles all end-user notifications and the actual enforcement process.
Library Item Configuration
Managed OS Library Items for macOS Sonoma, iOS 17, and iPadOS 17 separate the enforcement time zone option into its own section. This option now applies only to upgrades from older operating systems.
When DDM is in use, update enforcement always uses the device's local time zone. Kandji cannot change this behavior as it is set by the operating systems.
Only a single MDM command for DeclarativeManagement is visible in the device's activity stream when new OS versions are released or enforcement timelines are changed. Individual AvailableOSUpdates and OSUpdateStatus commands are no longer run throughout the update lifecycle as they don't provide any information to Kandji when DDM is in use.
Library Item Status
macOS, iOS, and iPadOS send updates proactively to Kandji about the status of OS updates. The operating systems, not Kandji, control the contents and granularity of these status updates. Kandji simply displays the updates as they are received. Kandji then maps various reported statuses to standard Library Item statuses, such as Downloading, Cached, Installing, Pass, and Error.
Notifications for software updates are handled by macOS, iOS, and iPadOS and not the Kandji Agent. Users will see prompts similar to the example below instead of being notified in the Kandji Menu Bar app. Users can choose to install the update right away, schedule it for that night, or simply ignore it and install it at a later date. macOS will notify the user once per day leading up to the deadline. 24 hours before the deadline, the notification will appear hourly and ignores Do Not Disturb. In the last hour before enforcement, users are notified at 30 minutes, and then every 10 minutes. iOS and iPadOS offer similar options to the user and use a similarly increasingly aggressive notification schedule. If a device is not turned on when the enforcement deadline passes, the update is scheduled for 60 minutes after the device is powered on and realizes it is behind its scheduled enforcement. Kandji does not and cannot control the contents nor timing of these notifications as both are determined by the operating systems.
Information about an update being enforced is also visible in System Settings:
And in Settings on iOS and iPadOS:
Users cannot defer enforced updates beyond their enforcement deadline an hour at a time like they could previously in Managed OS through the Kandji Agent; this is because the operating systems do not allow it. This means updates could happen during critical business tasks if users continuously ignore notifications and don't update their devices (though all notifications in the last 24hrs of enforcement ignore Do Not Disturb). Kandji cannot control this, but does recommend considering this important change when setting enforcement times in Managed OS. Also be sure to consider that all updates are enforced in device local time.
Frequently Asked Questions
Why is Kandji using DDM to manage software updates going forward?
Using DDM to manage software updates on macOS Sonoma, iOS 17, and iPadOS 17 is the most reliable way to do so. It also brings a number of benefits like enforcement of updates in a device's local time zone, and notifications that are able to bypass Do Not Disturb in the last 24hrs leading up to enforcement.
How can I verify that Kandji has applied the correct declaration for Managed OS?
macOS: Open System Settings > Security & Privacy > Profiles > Double click on "MDM Profile" > Scroll down to "Device Declarations".
iOS: Open Settings > Security & Privacy > Profiles > Configurations
Can I continue to offer the previous Managed OS experience to my users?
No. Devices running macOS Sonoma, iOS 17, and iPadOS 17 and later automatically use DDM to enforce software updates.
Is Managed OS on older operating systems where DDM is not used still supported?
Yes. Kandji supports Managed OS for all supported operating systems.
Where can I send feedback about the end-user experience when DDM is in use?
Feedback about the end-user experience when updates are managed with DDM, including the contents of notifications, their frequency, deferrals, or any other customizations should be sent to Apple through AppleSeed for IT.
Who should I contact for help with Managed OS?
Check System Settings on macOS or Settings on iOS or iPadOS for the applied declaration. If it has the correct enforcement settings but users are not being notified properly, or updates are failing to install, please contact Apple support or send feedback to Apple through AppleSeed for IT. If devices are not receiving the correct declarations at all, or you have a general question about Managed OS, including how to configure it, please contact Kandji support.