This guide applies to Apple devices
About Declarative Device Management
Declarative Device Management (DDM) is Apple’s next-generation device management framework that provides a more efficient and reliable way to manage devices. Unlike traditional MDM, which uses a push-based approach, DDM allows devices to pull their configuration from the MDM server, making them more autonomous and self-managing. Iru Endpoint was first to market to support actively managing supervised devices with DDM in 2022, and since that launch, has continued to expand the usage of DDM throughout the product. Learn more about DDM on the Iru blog.How It Works
DDM enhances Managed OS functionality by providing more reliable update delivery and enforcement. When DDM is enabled, devices can:- Pull updates autonomously - Devices check for updates independently
- Handle offline scenarios - Updates can be cached and applied when connectivity is restored
- Provide better reliability - Reduced dependency on constant server communication
- Improve user experience - More seamless update processes with fewer interruptions
As of 11/29/23, Iru Endpoint uses DDM for Managed OS for macOS Sonoma, iOS 17, and iPadOS 17 and later.
DDM and Managed OS
DDM is used to manage software updates automatically; there is no additional configuration needed in Managed OS Library Items. When DDM is used, Iru Endpoint simply applies a “declaration” to devices with the required OS version and the deadline for enforcement; from that point forward, the respective operating system handles all end user notifications and the actual enforcement process.Admin Experience
Library Item Configuration
Managed OS Library Items for macOS Sonoma, iOS 17, and iPadOS 17 separate the enforcement time zone option into its own section. This option now applies only to upgrades from older operating systems.When DDM is in use, update enforcement always uses the device’s local time zone. Iru Endpoint cannot change this behavior as it is set by the operating systems.
MDM Commands
Only a single MDM command for DeclarativeManagement is visible in the device’s activity stream when new OS versions are released or enforcement timelines are changed. Individual AvailableOSUpdates and OSUpdateStatus commands are no longer run throughout the update lifecycle as they don’t provide any information to Iru Endpoint when DDM is in use.Library Item Status
macOS, iOS, and iPadOS send updates proactively to Iru Endpoint about the status of OS updates. The operating systems, not Iru Endpoint, control the contents and granularity of these status updates. Iru Endpoint simply displays the updates as they are received. Iru Endpoint then maps various reported statuses to standard Library Item statuses, such as Downloading, Cached, Installing, Pass, and Error.User Experience
Please visit the User Experience with Managed OS for macOS and User Experience with Managed OS for iOS, iPadOS and tvOS articles for more information.Deferrals
Users cannot defer enforced updates beyond their enforcement deadline an hour at a time like they could previously in Managed OS through the Kandji Agent; this is because the operating systems do not allow it. This means updates could happen during critical business tasks if users continuously ignore notifications and don’t update their devices (though all notifications in the last 24hrs of enforcement ignore Do Not Disturb). Iru Endpoint cannot control this, but does recommend considering this important change when setting enforcement times in Managed OS. Also be sure to consider that all updates are enforced in device local time.Troubleshooting
Who should I contact for help with Managed OS?
Who should I contact for help with Managed OS?
Check System Settings on macOS or Settings on iOS or iPadOS for the applied declaration. If it has the correct enforcement settings but users are not being notified properly, or updates are failing to install, please contact Apple support or send feedback to Apple through AppleSeed for IT. If devices are not receiving the correct declarations at all, or you have a general question about Managed OS, including how to configure it, please contact Iru support.
Frequently Asked Questions
Why is Iru Endpoint using DDM to manage software updates going forward?
Why is Iru Endpoint using DDM to manage software updates going forward?
Using DDM to manage software updates on macOS Sonoma, iOS 17, and iPadOS 17 is the most reliable way to do so. It also brings a number of benefits like enforcement of updates in a device’s local time zone, and notifications that are able to bypass Do Not Disturb in the last 24hrs leading up to enforcement.
How can I verify that Iru Endpoint has applied the correct declaration for Managed OS?
How can I verify that Iru Endpoint has applied the correct declaration for Managed OS?
macOS: Open System Settings > General > Device Management > Double click on “MDM Profile” > Scroll down to “Device Declarations”.iOS: Open Settings > General > VPN & Device Management > MDM Profile > Configurations
Screenshot needed: Add a screenshot showing the macOS System Settings navigation path to Device Management and MDM Profile.
Once a declaration hits a device, users will be notified immediately that an update is scheduled. Depending on your configuration, this notification could happen weeks or months ahead of the enforcement date.
Can I continue to offer the previous Managed OS experience to my users?
Can I continue to offer the previous Managed OS experience to my users?
No. Devices running macOS Sonoma, iOS 17, and iPadOS 17 and later automatically use DDM to enforce software updates.
Is Managed OS still supported on older operating systems where DDM is not used?
Is Managed OS still supported on older operating systems where DDM is not used?
Yes. Iru Endpoint supports Managed OS for all supported operating systems.
What happens if the update is already cached and I would like to change the enforcement date/time?
What happens if the update is already cached and I would like to change the enforcement date/time?
When an update is already cached, and you want to push back the enforcement date, the enforcement date and time will be re-evaluated as immediately as possible with the next MDM check-in.
Where can I send feedback about the end user experience when DDM is in use?
Where can I send feedback about the end user experience when DDM is in use?
Feedback about the end user experience when updates are managed with DDM, including the contents of notifications, their frequency, deferrals, or any other customizations should be sent to Apple through AppleSeed for IT.
Who should I contact for help with Managed OS?
Who should I contact for help with Managed OS?
Check System Settings on macOS or Settings on iOS or iPadOS for the applied declaration. If it has the correct enforcement settings but users are not being notified properly, or updates are failing to install, please contact Apple support or send feedback to Apple through AppleSeed for IT. If devices are not receiving the correct declarations at all, or you have a general question about Managed OS, including how to configure it, please contact Iru support.
- Configuring Managed OS for macOS - Set up Managed OS for Mac computers
- Configuring Managed OS for iOS, iPadOS, and tvOS - Set up Managed OS for Apple mobile devices
- OS Update Strategies: OS Deferral Restriction and Managed OS - Compare different OS update management approaches