Many businesses are increasingly adopting mobile devices, such as phones and tablets, as standard tools for their employees. As these devices become more powerful and technologies like 5G become more available, it makes perfect sense for businesses to take advantage if it makes their employees more productive. That’s where device management comes into play.
This has seen many organizations start to implement bring-your-own-device (BYOD) policies as the changes to traditional workplaces pick up momentum. However, there will be a need for effective device management solutions that can reduce the burden on IT staff while simultaneously enhancing the end-user experience.
Solutions such as Apple’s new approach to device management called Declarative Device Management (DDM). Products like these are heralding the future of device management by offering a great array of new features.
What is Declarative Device Management?
Declarative management represents the future of device management. As a relatively new offering from Apple, Declarative Device Management is a transformative update to the protocol. And it brings policy management to devices.
This solution enables devices to be autonomous and proactive. It can also be used together with the existing MDM protocol capabilities. One of the main advantages of having autonomous devices is that they can react to state changes. They then apply management logic to themselves without needing action from the server.
As a result of all this, you’ll get greater performance and increased scalability, which will help keep your organization’s devices running at optimum levels. The ability for devices to be autonomous as well as proactive are the key elements that make declarative management the ideal solution going forward.
Furthermore, declarative management works in a way that keeps devices in the best possible state. It does so, keeping important data secure, regardless of whether or not you have an internet connection. This allows users to have a more responsive experience that can help improve their efficiency.
And to assuage any concerns customers may have, Apple assures clients that although this may be a new offering, the protocol is not. The declarative functionality that is being offered has been built into existing MDM protocols.
Therefore, customers can expect to have access to a device management service that will streamline all management processes. And it improves the experience not only for end-users but for IT admins as well.
Requirements
As with any product, there are minimum requirements to consider if your organization wants to have access to Declarative Device Management.
| Operating System | Versions Supported |
| macOS | Ventura 13 and later |
| iOS | 15 for user enrollment only and 16 and later for all enrollment types |
| iPadOS | 15 and later |
| tvOS | 16 and later |
| watchOS | 10 and later |
Advantages of DDM
Probably the biggest benefit that users stand to gain from DDM is the improvement in device performance. With the main features on offer, devices can act proactively and more autonomously. This means that any actions requiring implementation will execute faster because there is no waiting for the server. Because of this efficiency, you should expect to have far more accurate device information that will also report back much faster.
This improvement in how devices run will also be a welcome change for IT admins. With certain actions being automated, administrators will have more time to prioritize and focus on more productive tasks. And all of this happens in a highly secure environment meaning taking advantage of these benefits will not come at the cost of data and device security.
Core data models
Declarative management comes with three main core data models, and these are as follows:
DECLARATIONS
Declarations refer to the payloads that servers define, forward to devices, and represent the state or behavior that businesses want for their devices. There are four types of declarations:
| Declaration Type | Description |
| Configurations | Not dissimilar to what we’ve already been using for the application of settings and restrictions on devices. |
| Assets | Refers to the reference data that configurations need for large data items and per-user data. |
| Activations | Group of configurations that are automatically applied to a device. Activations and configurations have a many-to-many type of relationship. Another thing to note is that activations can support complex predicate expressions using an extended predicate syntax. |
| Management | The role of management is to transmit to the device key information about the organization as well as details about the MDM solutions. |
STATUS CHANNEL
The status channel is a key means of communication in declarative management. And it is responsible for conveying information when the state of the device changes. When these changes occur, the device will proactively update the server via status reports containing details of the update. An important thing to note is that the server can be configured to subscribe only to specific status items meaning it will receive only the updates it considers necessary.
EXTENSIBILITY
Extensibility enables organizations to better tailor declarative management to meet their business needs. This feature gives you the flexibility of integrating with other products so that end-users have the best possible options available. What this gives you is a platform that enables both devices and MDM servers the ability to support new features as and when they release.
Introducing DDM to your organization
How to manage the transition to DDM
One of the goals with tech products and services is that the companies developing them should design them to be relatively easy to use if you want to draw in customers. To that end, the transition to declarative device management is much easier because the MDM protocol has various functions.
For instance, you will be able to embed existing profiles into a legacy profile declaration. Another good example would be how you can have an MDM solution take ownership of a profile that has already been deployed and subsequently migrate it into a legacy configuration declaration. The advantage of this action is that it eliminates the need to remove an existing profile to replace it with a configuration that may not be suitable for the user.
Integration of declarative management within the MDM protocol
Part of what makes Declarative Device Management such a great option is how it integrates into the MDM protocol. Not only that, but existing MDM vendors already have access to the features that are on offer.
The significance of integration within the MDM protocol is that declarative management will leverage it for the management of key areas including both enrollment and unenrollment, HTTP transport, as well as device and user authentication.
Moreover, DDM intends to make the transition from existing MDM products as seamless as possible. This means that you don’t have to worry about dealing with disruptive changes to adopt new protocols.
To add to the convenience, you’ll also find that declarations and the status channel will coexist with your existing MDM commands and profiles. By setting it up this way, DDM gives organizations the flexibility to adopt declarative management features at their own pace.
Because of this, you won’t need to immediately update all of your MDM workflows. Another very important thing to note is that declarative management will not affect existing MDM behaviors. What you’ll actually find is that declarative management utilizes existing MDM behaviors using an MDM command for activation and an MDC CheckIn request for synchronization and status reports.
Activating declarative management
We’ll start with a DeclarativeManagement command addition to MDM. This command has two roles that it will play. Firstly, it will activate the declarative management features on a device. Before proceeding with this, however, you need to know that you won’t be able to turn off declarative management once you’ve turned it on. But, you do get a way out of this if the need arises. By having the server remove all declarations, this action will, for all intents and purposes, disable declarative management.
The second thing the command can do is include a payload containing synchronization tokens that will initiate a synchronization flow if necessary. Additionally, there is a new CheckIn request type that devices use to synchronize declarations and send status reports to the server. And the server will give you a response when you use the CheckIn request to synchronize declarations. You can get two types of responses which are:
- A manifest that lists the identifier and server token properties of all declarations defined by the server.
- Single declarations for the device to apply.
Improved management enhances BYOD
Most of us may have noticed over the last few years that Bring-Your-Own-Device (BYOD) policies are growing in popularity across various business sectors. Similar to declarative management, BYOD can help organizations make better use of the technology available to them and improve the efficiency of their employees.
But, one thing you’ll be quick to notice about employees using their personal devices to connect to enterprise networks is that it can drastically reduce an organization’s capital outlay for devices. And as management solutions continue to get better, the security concerns that you might have about personal devices accessing sensitive corporate data are being addressed.
However, even with the potential financial gains, adopting BYOD policies would still be a difficult sell without effective management services available. This is why services such as Microsoft Intune’s web-based device enrolment for iOS/iPadOS are bringing new features to the table.
What this service will do is eliminate the need for the Company Portal app thereby providing a faster enrollment process that also delivers an improved user experience. Your life as an MDM admin should get somewhat more comfortable given that you’ll now be able to enroll personal devices in Microsoft Intune without users having to first install additional apps.
App or web–based enrollment
Microsoft Intune simplifies device enrollment for Apple users through the availability of Apple device enrollment. This service provides key iOS/iPadOS management capabilities for users in the Microsoft Intune admin center without compromising the security of personal data. When it comes to device enrollment, there are two options: app-based enrollment and web-based enrollment. So, if you navigate to the Intune admin center, the device enrollment options you’ll see are:
- Device enrollment with the Company Portal
- Web-based device enrollment
You’ll need to create an enrollment profile in the admin center to select and configure enrollment types. To do that:
- Navigate to Devices > iOS/iPadOS > iOS/iPadOS enrollment
- Select Enrollment types.
To simplify the process of Microsoft Entra registration within the employee’s work apps and reduce the number of times they have to authenticate, web-based enrollment will leverage just-in-time (JIT) registration with the Apple single sign-on. JIT registration in enrollments can be enabled by creating a device configuration profile with an SSO app extension policy. But, Intune clarifies that using JIT registration with web-based enrollment is not mandatory but it is highly recommended if you want a better experience for end-users.
EXPLAINING JUST-IN-TIME REGISTRATION
According to Microsoft Intune:
“Just in Time registration within the enrollment flow is an improvement to the Setup Assistant with a modern authentication enrollment method since it no longer requires the Company Portal app for Azure Active Directory (Azure AD) registration or compliance checking.”
The overall goal of JIT registration is to streamline the process for users by eliminating the Company Portal requirement which by extension removes some of the complex steps that users have had to deal with. By using JIT registration, all users will need to do to enroll their iOS devices is sign in with their corporate credentials.
To successfully complete the enrollment process, users must sign in with their corporate credentials. Doing this will authenticate them via Entra ID and automatically register their device with Intune. Setting up just-in-time registration requires your business to have an active Apple Business Manager or Apple School Manager account as well as devices that are eligible for JIT registration. Additionally, network settings will need configuration accordingly for enrolled devices and Intune to communicate. In the table below, you’ll find the details concerning web and app enrollment:
| Specification | App-based enrollment | Web-based enrollment |
| Supported version | iOS/iPadOS 14 and later | iOS/iPadOS 15 and later |
| BYOD and personal devices | Yes | Yes |
| Device associated with a single user | Yes | Yes |
| Device reset required | No | No |
| Enrollment initiated by the device user | Yes | Yes |
| Supervision | No | No |
| Just-In-Time registration | No | Yes |
| Required apps | Intune Company Portal app for iOS Microsoft Authenticator | Microsoft Authenticator |
| Enrollment location | App-based enrollment takes place in the Company Portal app, Safari, and device settings app. | Web-based enrollment takes place in Safari and the device settings app. |
Setting up web-based enrollment
Web-based enrollment is designed to speed up the enrollment process and give users a more user-friendly experience. Because users can do all they need to in Safari and in their device settings, the Company Portal app will no longer be required.
Furthermore, once you have enabled JIT registration, Intune can use it with the Microsoft Authenticator app for registration of the device and SSO thus eliminating the need for users to sign in constantly during enrollment and when accessing work apps. To set up web-based enrollment, you’ll need to follow the steps below:
Set up just-in-time registration
Before proceeding, you’ll need to verify that you meet the requirements:
- Apple user enrollment: Account-driven user enrollment
- Apple device enrollment: Web-based device enrollment
- Apple automated device enrollment: For enrollments that use Setup Assistant with modern authentication as the authentication method.
Once you’ve checked the requirements, you can now proceed to create an SSO app extension policy that uses the Apple SSO extension to enable JIT registration. With that done, follow the steps below:
- Sign in to the Microsoft Intune admin center.
- Navigate to Device features > Category > Single sign-on app extension. Here you need to create an iOS/iPadOS device configuration policy.
- Select Microsoft Entra ID for SSO app extension type.
- For any non-Microsoft apps using SSO, you must add the app bundle IDs. Because the SSO extension is automatically applied to all Microsoft apps, it’s better not to add Microsoft apps to your policy. This way you can stay away from authentication issues. Also, note that the Microsoft Authenticator app will be later added in an app policy so you should avoid adding it to the SSO extension as well.
- Under Additional configuration, add the required key-value pair. For JIT to work properly, you must eliminate trailing spaces before and after the value and key.
| Key: device_registration Type: String Value: {{DEVICEREGISTRATION}} |
- Microsoft Intune also recommends that you add the key-value pair that enables SSO in the Safari browser for all apps in the policy. And similar to the previous step, you’ll need to eliminate trailing spaces before and after the value and key for JIT to work properly.
| Key: browser_sso_interaction_enabled Type: Integer Value: 1 |
- Select Next.
- For Assignments, you must assign the profile to all users (or designate specific groups), then select Next.
- You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
- Lastly, you need to head over to Apps > All apps and assign Microsoft Authenticator to groups as a required app.
Create enrollment profile
An enrollment profile is necessary for all devices enrolling via web-based device enrollment. Once created, this profile will initiate the device user’s enrollment experience thereby allowing them to begin enrollment in Safari.
- Navigate to Devices > Enrollment in the Intune admin center. Select the Apple tab.
- Select Enrollment types (preview) under Enrollment Options.
- Select Create profile > iOS/iPadOS.
- Go to the Basics page and type in a name and description for the profile. This allows you to distinguish this profile from others in the admin center. Select Next.
- Navigate to the Settings page, for Enrollment type, select Web based device enrollment. Select Next.
- Head over to the Assignments page and assign the profile to all users or a group of users. Select Next.
- You can now go and review your choices on the Review + create page. With everything done, select Create to finish creating the profile.
PREPARING EMPLOYEES FOR ENROLLMENT
Employees will be alerted by the app as to the enrollment requirements when they try to sign in to work apps on their personal devices. They will then be redirected to the Company Portal website for enrollment. The other option would involve you giving users an URL that opens the Company Portal website. For those not using Conditional Access, you’ll need to remember to share the enrollment link with device users so that they know how to initiate enrollment. The enrollment steps for device users are as follows:
- Open Safari and sign in to your Company Portal website with your work or school account.
- Next, you should get a prompt to download the management profile and this will be downloaded by the Company Portal while you wait in Safari.
- Navigate to your device settings app to view and install the management profile.
- Signing in to a work or school app can only happen after the Microsoft Authenticator is installed. The device will only be ready for use after this installation.
- Now you can use your work account to sign in to a work app, such as Microsoft Teams.
- You’ll then need to wait while the app identifies the required setting updates.
Wrap up
The future of device management lies in the integration of the best products and services that are available to customers. Often, we can get caught up debating which tech company offers the best services to meet our needs. But, as we are seeing with Microsoft Intune and Apple device management solutions, bringing together great products to coexist can deliver far more for the end-users.
Declarative management looks like a brilliant solution that is going to deliver a seamless user experience that could improve productivity. It’s therefore no surprise that when combined with what Microsoft Intune has to offer, businesses can look forward to better, faster, and more efficient device management.
