Jack-Daniyel "JD" Strong

Author: JD Strong

  • Unlocking Declarative Device Management

    Unlocking Declarative Device Management

    Declarative Device Management (DDM) represents a significant leap forward in Apple device management. By enabling devices to enforce configurations autonomously and report their compliance dynamically, DDM eliminates many of the challenges that plague legacy profiles. However, with only ~20% of MDM configurations currently available as DDM profiles, early adoption and feedback are critical to shaping its future. This is a continuation of my exploration of DDM. We will look at the available DDM profiles, how to create, deploy, and verify DDM profiles.

    Addressing the Challenges with Legacy Profiles

    While legacy profiles remain functional in many scenarios, they often fail to reliably enforce critical configurations, such as passcode policies. For example, a legacy passcode policy delivered via .mobileconfig may prompt users to update their passcode but allows them to dismiss the request, leaving devices non-compliant. And, lack of enforcement for software updates is part of the reason tools like Nudge exist—to provide additional pressure for users to install software updates and comply with policies. This inconsistency stems from how macOS processes legacy profiles, not the fault of MDM vendors.

    DDM resolves these issues by enforcing policies at the system level, ensuring compliance without relying on repeated server-side pushes. For a concrete example, see how DDM handles Passcode Policies in the next section.

    Why DDM Matters

    Despite potential limitations, DDM represents the future of Apple device management. It introduces self-enforcing profiles that allow devices to autonomously enforce configurations without constant oversight from MDM servers. It’s a game-changer, but to fully realize its potential, Mac Admins need to understand what is available in DDM profiles, how to create, deploy, and verify DDM profiles in their environments. Finally, we need to ask our MDM providers to fully implement all available keys for profiles, lower the guardrails or provide a way to ship our own JSON.

    Let’s prepare for the future of device management. Let’s dive in.

    The Building Blocks of DDM: Configuration Profiles

    At the heart of Declarative Device Management (DDM) are configuration profiles—the building blocks that describe the desired state of a device. Unlike legacy .mobileconfig profiles, which are written in XML plist format, DDM profiles use the JSON format. This shift to JSON aligns with modern data standards, making DDM profiles more versatile and easier to integrate into existing workflows.

    Key Differences Between Legacy and DDM Profiles

    Legacy profiles follow a static model: they define settings and rely on the MDM server to enforce those settings on devices. If something changes, the server needs to push the updated configuration again. DDM profiles, on the other hand, take a declarative approach:

    • Self-Enforcing: Devices enforce their own configurations locally, reducing reliance on the server and network availability.
    • Dynamic Updates: DDM profiles allow devices to dynamically adjust to changes and report their compliance status back to the server.
    • Lightweight JSON Format: While legacy profiles are written in XML, DDM profiles use JSON, making them more compact and modern.

    For developers and admins, Apple provides several helpful resources to explore these profiles:

    Passcode Policies: Legacy vs. DDM

    Passcode policies provide a great example of the difference between legacy and Declarative Device Management (DDM) profiles.

    Legacy Passcode Profiles

    In the legacy model, passcode enforcement relies on the MDM server to push settings to devices via .mobileconfig files. However, enforcement is inconsistent—users can simply dismiss passcode prompts, leaving devices non-compliant. This limitation stems from how macOS processes legacy profiles, not from MDM vendors.

    DDM Passcode Profiles

    With DDM, passcode settings are enforced at the system level, ensuring compliance. Devices autonomously apply the required configurations and report their status back to the MDM. Key settings in DDM include:

    • RequirePasscode: Requires users to set up a passcode on their device.
    • RequireComplexPasscode: Enforces complex passcodes that avoid repetitive or sequential characters (e.g., “123” or “ABC”) and require at least one non-alphanumeric character.
    • MinimumLength: Specifies the minimum number of characters in the passcode.
    • MaximumFailedAttempts: Limits the number of failed login attempts before the device locks.
    • MaximumGracePeriodInMinutes: Controls how long users can wait before the device locks after waking.
    • MaximumInactivityInMinutes: Locks the device after a period of inactivity.

    For example, enabling RequireComplexPasscode eliminates the need for admins to define complex regular expressions for passcode validation. This built-in enforcement saves time and ensures compliance across devices.

    Here’s a sample JSON configuration for a DDM passcode policy with common settings:

    {
   "Type": "com.apple.configuration.passcode.settings",
   "Identifier": "com.example.config.passcode.settings",
   "Payload": {
      "RequireComplexPasscode": true,
      "MinimumLength": 10,
      "MinimumComplexCharacters": 1,
      "MaximumFailedAttempts": 11,
      "MaximumGracePeriodInMinutes": 1,
      "MaximumInactivityInMinutes": 15
   }
}

    Once deployed, this configuration ensures that users must comply with the passcode policy during login or when creating or updating their password. For example, Apple’s Passcode Declarative Configuration specifies that users have 60 minutes to set a passcode before being forced to comply.

    Settings like RequireComplexPasscode help enforce stricter security policies directly within macOS, iOS, and iPadOS, reducing the need for third-party solutions. However, full implementation of these keys depends on your MDM provider. If certain keys are missing, reach out to your provider to advocate for full DDM support.

    By leveraging DDM for passcode policies, admins can eliminate the gaps in enforcement common with legacy profiles, ensuring greater consistency and security across their managed devices.

    Available Profiles in DDM

    Apple’s declaration reference documentation and GitHub repo outline the available configuration profiles for DDM. These profiles are organized into logical categories, making it easier for admins to identify and implement the ones they need.

    Account Configurations

    Manage user accounts for email, calendar, contacts, and more: AccountCalDAV, AccountCardDAV, AccountExchange, AccountGoogle, AccountLDAP, AccountMail, AccountSubscribedCalendar.
    Example: Automatically set up corporate Exchange accounts or Google accounts for secure and seamless employee access to email and calendars.

    Settings Configurations

    Define system behaviors and settings: AppManaged, DiskManagementSettings, MathSettings, PasscodeSettings, SafariExtensionSettings, ScreenSharingConnection, SoftwareUpdateSettings.
    Example: Enforce passcode complexity requirements or configure software updates to ensure device compliance with organizational policies.

    Credential Configurations

    Manage identities, certificates, and authentication: AssetCredentialACME, AssetCredentialCertificate, AssetCredentialIdentity, AssetCredentialSCEP, AssetCredentialUserNameAndPassword.
    Example: Dynamically issue SCEP certificates for secure Wi-Fi or VPN access without manual intervention.

    Security Configurations

    Enhance device security and protect user data: SecurityCertificate, SecurityIdentity, SecurityPasskeyAttestation, ManagementStatusSubscriptions.
    Example: Deploy certificates for encrypted email or enable WebAuthn enterprise attestation for secure authentication.

    Service Configurations

    Manage background services and configuration files: ServicesBackgroundTasks, ServicesConfigurationFiles.
    Example: Optimize app updates or manage custom enterprise application configurations.

    Activation and Deployment Configurations

    Streamline activation and deployment workflows: ActivationSimple.
    Example: Bundle multiple configurations like passcodes, software updates, and account setups for efficient deployment to new devices.

    Test and Legacy Configurations

    Test DDM functionality or use legacy configurations temporarily: ManagementTest, LegacyProfile.
    Example: Validate DDM profiles before rolling out or rely on legacy profiles during the transition to DDM.

    Assets and User Credentials

    Manage reusable assets and credentials: AssetData, AssetUserIdentity, UserNameAndPasswordCredential.
    Example: Distribute username/password credentials for VPNs securely while reducing the need for manual user input.

    Why DDM Profiles Matter

    DDM profiles offer Mac Admins a new level of flexibility and reliability, improving compliance, security, and automation. Each profile serves as a building block for tailoring devices to meet organizational needs. As Apple continues expanding the number of supported configurations, the potential for declarative management will only grow.

    Creating DDM Configuration Profiles

    Creating Declarative Device Management (DDM) configuration profiles involves working directly with JSON files generated from YAML declarations. Unlike legacy profiles, where tools like Configurator2 or iMazing Profile Editor allowed Mac Admins to create profiles via user-friendly interfaces, there currently isn’t an equivalent for DDM. However, with the right tools and resources, building DDM profiles is still manageable.

    Generating DDM Profiles: Tools and Workflow

    To generate DDM configuration profiles, we rely on YAML declarations, which Apple provides in their GitHub repository. These YAML files specify the settings available for different types of configurations, such as passcodes, software updates, and VPN requirements. The YAML can then be converted into JSON, the format required by DDM.

    Here’s an example workflow for creating DDM profiles:

    1. Start with YAML Declarations

      • Visit the Apple GitHub repository to find the YAML for the configuration you want to create.
      • For example, the YAML declaration for passcode settings can be found here.

    2. Convert YAML to JSON

      • Use a tool like Jesse Peterson’s ideclr.py to get you started with a JSON payload.
      • For now, we have to manually translate the YAML into JSON if you are familiar with the structure.

    For example, the passcode YAML generates the following JSON with all of the available keys:

    {
   "Type": "com.apple.configuration.passcode.settings",
   "Identifier": "com.example.config.passcode.settings",
   "Payload": {
      "RequirePasscode": false,
      "RequireAlphanumericPasscode": false,
      "RequireComplexPasscode": false,
      "MinimumLength": 0,
      "MinimumComplexCharacters": 0,
      "MaximumFailedAttempts": 11,
      "FailedAttemptsResetInMinutes": null,
      "MaximumGracePeriodInMinutes": null,
      "MaximumInactivityInMinutes": null,
      "MaximumPasscodeAgeInDays": null,
      "PasscodeReuseLimit": null,
      "ChangeAtNextAuth": false,
      "CustomRegex": {
         "Regex": null,
         "Description": {
            "default": null
         }
      }
   }
}

    1. Edit and Customize the JSON

      • Once the JSON is generated, modify it to suit your specific needs. For example:

        • Set "RequirePasscode" to true to enforce passcodes.
        • Adjust "MinimumLength" and "MaximumFailedAttempts" to comply with organizational policies.

      • Save the file with a meaningful name, such as passcode.settings.json, for easy identification.

    2. Test with an Open-Source Example

    With your configuration profiles created, the next step is to deploy them effectively to your fleet of devices. In the next section, we’ll cover deployment strategies, common challenges, and how to verify that your profiles are working as intended.

    Deploying and Implementing DDM Profiles

    Once you’ve created your Declarative Device Management (DDM) profiles, the next step is deploying them to your devices. While the process shares similarities with legacy profiles, DDM introduces new tools and techniques that require admins to adapt. This section covers deployment strategies, verification methods, and tools to ensure your configurations are applied and working as intended.

    Deploying DDM Profiles Using Your MDM Provider

    Most Mac Admins rely on an MDM provider to manage their fleet of devices, and many providers now support custom JSON profiles. Here’s how you can deploy DDM profiles through your MDM:

    1. Upload the Profile
      Log into your MDM provider’s portal, navigate to the section for custom configuration profiles, and upload your JSON file (e.g., passcode.settings.json).
    2. Assign Devices
      Assign the profile to a test group of devices to verify its behavior before rolling it out fleet-wide.
    3. Monitor Deployment
      Use your MDM’s dashboard to track profile delivery and ensure that the configurations have been pushed to the assigned devices.

    Check your MDM provider’s documentation to confirm the extent of their DDM support. Some providers may not fully support all DDM keys or features, so it’s important to verify what’s available.

    Alternative Deployment Tools

    If your MDM provider doesn’t yet fully support DDM or you want greater control over deployment, there are several open-source tools you can use to manage DDM profiles.

    KMFDDM

    KMFDDM is an open-source framework for deploying and managing DDM profiles. It’s a lightweight and flexible alternative for admins looking to test or implement DDM without relying on an MDM provider. Use the KMFDDM Quickstar.to get started.

    Fleet Device Management

    Fleet is a scalable fleet management system that integrates with tools like osquery for compliance monitoring. For admins considering Fleet, there’s a docker setup available to simplify the deployment process.

    Zentral

    Zentral is another open-source solution that combines device management tools like osquery and Santa for comprehensive security and compliance monitoring. Zentral’s quickstart guide makes setup straightforward.

    Verifying Deployment

    Verification is a critical step to ensure that DDM profiles have been successfully deployed and are working as expected. Unlike legacy profiles, which could be manually installed and easily viewed in System Settings, DDM profiles often require programmatic verification. Here’s how you can confirm deployment and compliance:

    Where to Check Configurations on Devices

    1. System Settings:

      • Like legacy profiles, DDM profiles may appear in System Settings under General > Device Management.
      • Passcode policies are enforced when users create or update their password.
      • Software update settings appear in General > Software Update, including the DetailsURL for additional instructions.

    2. Programmatic Verification:
      Use tools like mdmclient or osquery to inspect installed profiles and verify compliance programmatically.

    Using Tools to Verify Deployment

    mdmclient Commands

    The mdmclient utility is part of Apple’s Managed Client (MCX) framework and allows you to query device status and configurations. Here are some useful commands:

    Query Device Information:
    /usr/libexec/mdmclient QueryDeviceInformation

    • Retrieves general device information, including enrollment details.

    Check Available OS Updates:
    /usr/libexec/mdmclient AvailableOSUpdates

    • Lists available OS updates based on your DDM configuration.

    Inspect Installed Profiles:
    /usr/libexec/mdmclient QueryInstalledProfiles

    • Lists all installed profiles, including DDM profiles.

    Dump Management Status:
    /usr/libexec/mdmclient dumpManagementStatus

    • Provides a detailed overview of the device’s management state.

    Using osquery

    osquery is an open-source tool that lets you query device configurations with -like syntax. It’s particularly useful for auditing compliance across your fleet.

    Check Passcode Policies:

    SELECT * FROM managed_policies WHERE name = "Passcode";

    Inspect Software Update Settings:

    SELECT * FROM software_update;

    Combine osquery with tools like Zentral or Fleet for ongoing compliance monitoring and reporting.

    Best Practices for Deployment and Verification

    To ensure successful deployment and compliance, follow these best practices:

    1. Start with Test Devices:
      Always test DDM profiles on a small group of devices to validate their behavior before rolling them out fleet-wide.
    2. Monitor Compliance:
      Use your MDM provider’s dashboard, mdmclient, or osquery to monitor compliance and troubleshoot issues.
    3. Communicate with Users:
      Inform users about new policies and configurations, especially if they introduce restrictions (e.g., stricter passcode requirements or forced updates).
    4. Advocate for Full DDM Support:
      Work with your MDM provider to ensure they support all DDM keys and configurations. Provide feedback about missing features or guardrails that limit your ability to customize profiles.

    With your DDM profiles successfully deployed and verified, you’re well on your way to leveraging declarative management to its fullest potential. In the next section, we’ll explore advanced use cases, including integrating DDM profiles with security frameworks and automating compliance reporting.

    DDM is the future of Apple device management, offering Mac Admins more robust and reliable tools for ensuring compliance and security. As Apple expands DDM’s capabilities and MDM providers adopt full support, the flexibility and reliability of declarative management will only improve. By embracing DDM now, Mac Admins can help shape its development and prepare their organizations for the next generation of device management.. Start by exploring available profiles, testing them on your devices, and working with your MDM provider to implement missing features. Let’s work together to build a better future for device management.

  • Declarative Device Management

    Declarative Device Management

    For Mac Admins navigating the future of device management, understanding declarative device management (DDM) and Apple’s evolving approach is critical. In announcing DDM and releasing some details, Apple was looking for the MDM (Mobile Device Management) providers out there to start exploring this way of managing devices, and looking for feedback. From what I’ve seen, DDM is only lightly being implemented with heavy guardrails, and some MDM providers are just sticking with Legacy Profiles despite clear signs that this is no longer the way.

    I am down the rabbit hole of DDM, and Apple’s implementation of this new method of managing devices. Join me on the journey.

    Legacy Profiles: Why They’re Fading Out

    Apple has a way with words. When they’re ready to retire a technology, they mark it as “Legacy.” As a former Apple Authorized Service Provider, I’ve seen this happen over and over: when models of iMacs, MacBooks, or even iPods reached “Legacy” status, parts were sometimes available, but official support was done. Now, Apple has granted that same “Legacy” label to plist-based .mobileconfig profiles (configuration files in Apple’s property list format)—the traditional method for configuring devices through an MDM.

    Many MDM providers still rely on these legacy profiles, offering user-friendly interfaces to configure them without needing direct plist editing. Some may rely on Configurator 2 or iMazing Profile Editor. But the writing’s on the wall: legacy profiles aren’t future-proof. As of macOS 15.1 Sequoia, legacy profiles still function—for now. But Apple is actively phasing them out, and certain settings, like passcode policies, already fail to enforce correctly.

    Also at issue with legacy profiles is the nature of delivering the profiles. As Mac Admins, we like to joke that MDM profiles are like UDP packets. We use a network term to illustrate how MDM profiles are delivered: in this case, like UDP packets. In a TCP/IP-based network, UDP packets are sent blindly, never asking for a receipt for delivery (to save time, and because it doesn’t matter if that packet made it). Whereas TCP packets have a return receipt to confirm that the packet of data arrived at its intended destination.

    One way of verifying profiles were delivered and settings were enforced was to use osquery to verify the current state of the device.

    What is DDM?

    Declarative device management is more than just a TCP implementation of profile delivery. DDM describes to the device how it should be configured, and the device enforces that configuration. Additionally, the device will call back to the MDM server to provide a status update.

    But, DDM is much more than a handful of configuration settings. DDM allows for describing the state a Mac Admin desires the device to be in before, say connecting to the corporate network using a VPN. Maybe you require that FileVault full disk encryption is enabled, and the firewall enabled before a device connects to the VPN. The idea is that we can declare the desired state of the device, and the device enforces that state locally.

    What most Mac Admins have experienced with DDM is managing software updates. Apple to an extent Sherlocked the open-source Nudge project that admins have used for years to enforce software updates. And, it’s pretty cool. Mac Admins can declare a minimum version and a specific date and time to install it on a device. Admins can add links to corporate websites for policy, and we can even push specific builds in the declaration. From what I have seen, not one MDM provider has implemented this well, but we will get into more of that later.

    What’s not been made clear until recently is how the cadence of software updates works with DDM. What I have also discovered is that once you choose DDM, the legacy profiles and legacy MDM commands no longer work. You cannot unring the bell, so to speak. MDM providers don’t understand this, and all are slow on the uptake of these new methods.

    In short, DDM improves reliability, reduces network dependency, and ensures devices can enforce configurations locally—resulting in a more consistent experience for users and administrators alike.

    The DDM paradigm shift.

    With DDM, devices gain autonomy. Instead of triggering actions like the InstallASAP command, the MDM simply declares the desired state, and the device enforces it independently. And, if a device somehow falls out of the desired state, it will work to get to the desired state. That could be in the form of prompting the user to run an update, or forcing a new password before unlocking the device.

    One capability still missing from MDM providers is status listeners for status subscriptions. Listeners are feedback from the device to the MDM provider that the profile is in place and the device is compliant. Think of this as an osquery-level investigation of device state, reported to the MDM provider, and not reliant on a third-party to investigate. We see status items of passcode.is-compliant, passcode.is-present , softwareupdate.beta-enrollment, and softwareupdate.pending-version for configurations.

    Preparing for the Shift to DDM

    As Apple moves away from legacy profiles, the case for adopting Declarative Device Management becomes stronger. DDM represents a fundamental shift in how we approach device management, giving more autonomy to devices and allowing Mac Admins to focus on defining the desired state rather than micromanaging each change. While DDM adoption is still evolving, it’s clear that this is the direction Apple is heading.

    In my next post, I’ll dive deeper into the hands-on side of DDM. We’ll explore the available configuration profiles, walk through the process of creating and implementing them, and look at effective ways to verify that settings are applied correctly. If you’re ready to get started with DDM and see it in action, stay tuned—it’s time to unlock the full potential of declarative management.

  • iPhone LinkedIn QR code

    iPhone LinkedIn QR code

    Ready access to LinkedIn, really?

    According to LinkedIn,

    The LinkedIn QR code makes it easy to meet someone offline, and stay in touch with them on LinkedIn. This feature provides a simple and efficient way to find LinkedIn members, and then connect with them by quickly scanning a QR code.

    We’re focussed on LinkedIn, but really this could be any QR code: Snapchat, Mastodon, Threads, Instagram… I’m not judging. LinkedIn has become our online resume, but also a professional connection platform. Personally, if I need to reach out to a Mac Admin, I’ll go to the Mac Admins Slack, but I have other connections from past consulting clients to friends and colleagues I have met along the way.

    A shortcut to QR codes

    To set up your LinkedIn QR code for easy access, we’ll start by saving it to a dedicated photo album. This makes it easier for the shortcut to locate the image later. As of the writing of this article, getting to your LinkedIn QR codes is the following 5 steps:

    1. Open the LinkedIn app on your mobile device.
    2. Tap the  QR code in the Search bar at the top of your LinkedIn homepage.
    3. Tap the My code tab to find your QR code.
    4. You can tap:
      1. Share my code to share your QR code via message, email or other third-party apps.
      2. Save to photos to save a copy of your QR code to your mobile device’s photo gallery.
    5. Tap an option from the dropdown that appears, and follow the prompts.

    For our purpose here, Save a copy of your QR code to your photo gallery, and choose the Save code only option.

    Save a copy of your QR code to your photo gallery, and choose the Save code only option.

    The goal in this step is to create a Photo Album with a single photo. That single photo being your QR code.

    1. Open up the Photos app, scroll down to Albums, and tap into Albums.
    2. Tap Create in the upper right, and select New Album.
    3. Give the album a name like “LI QR”.
    4. Click Add Photos and find your QR code.
    5. Click Create.
    6. Alternatively, find the QR code you saved to Photos, and tap into the photo. Tap the … in the upper right corner, and select Add to Album. Select the “LI QR” album.
    7. Another option would be to tap the + when viewing a the QR code image and create the Album with this QR code.
    Create a new album called "LI QR"

    Now, let’s create a shortcut to find and present this QR code. (You can also access this shortcut here.)

    1. Open the Short cuts app, and create a new shortcut.
    2. In the Search Actions field, type “Photos” and select the Find Photos option.
    3. Tap Add Filter and set it to “Album is” and then tap to find your “LI QR” album.
    4. Tap the Limit slider and set it to “Get 1 Item.”
    5. Add another action, this time searching for “Show Result” and it should be default add a Photos variable.
    6. Give it a name like Show LI QR and then tap Done in the upper right.
    7. Long press on the new shortcut and select Details.
    8. Under the Privacy tab, enable Allow Running When Locked.
    9. Tap Done in the upper right.
    Screenshot of the complete Shortcut workflow.

    Finally, let’s set up ready access to this shortcut by assigning it to the Double or Triple-tap Back accessibility function.

    1. In the Settings app, search for “Back Tap.” (Accessibility > Touch)
    2. Tap into Triple Tap and scroll down to Shortcuts.
    3. Select Show LI QR shortcut we created earlier.
    4. Back out or swipe to close the Settings app.
    5. Give the back of your phone a double or triple tap.
    Back Tap accessibility settings

    With this shortcut set up, you’ll never have to fumble through apps to find your LinkedIn QR code again. A quick tap on the back of your iPhone is all it takes to connect with new contacts on the spot. 

    This same shortcut can be used for other social media QR codes, like Instagram or Snapchat, so you’re ready for any networking situation. How are you utilizing Shortcuts?