The Unified Architecture: Scaling Apple Management with DDM, MDM, and Agent Synergy

Hexnode manages Apple devices using a hybrid architecture that combines three distinct technologies. These layers run in parallel on the device to ensure comprehensive management, security, and monitoring.

1. MDM Protocol: The standard, reactive layer for enrollment and base configuration.
2. Declarative Device Management (DDM): The modern, proactive layer for autonomous device behavior (specifically OS updates).
3. Hexnode UEM Agent: A dedicated app installed on the device to handle tasks that native Apple protocols cannot perform (such as location tracking and messaging).

1. MDM Protocol (Mobile Device Management)

The MDM protocol is the foundation of Apple device management. It establishes the initial trust relationship between the device and the Hexnode server.

How does it function?

• Reactive Communication: The Hexnode server is an active decision-maker. It sends notifications (via APNs) to the device to “wake it up” so it can check in and receive commands.
• Command-Based: The server queues specific commands, and the device executes them sequentially.

Key functions in Hexnode

• Enrollment: Handles the initial setup via Apple Business Manager, User Enrollment, or Device Enrollment.
• Base Configurations: Pushes standard profiles such as Wi-Fi, VPN, Email Exchange, and Passcode policies.
• Remote Actions: Executes critical security commands like Remote Wipe, Device Lock, and Clear Passcode.

2. Declarative Device Management (DDM)

DDM is an evolution of the MDM protocol that shifts logic from the server to the device, allowing the device to be autonomous and proactive.

How does it function?

• Proactive “Declarations”: Instead of waiting for commands, the device receives “Declarations” that define its desired state. The device stores these rules locally and applies them instantly.
• Status Channel: The device proactively reports changes in its state (e.g., “My OS just updated”) to Hexnode without the server needing to poll the device constantly.
• Autonomous Logic: If a device’s state changes (e.g., a policy is removed), the device detects the discrepancy and self-corrects based on the stored declarations.

Key functions in Hexnode

• Managed Software Updates: DDM is the primary engine for enforcing OS updates (on iOS 17+ and macOS 14+). It allows admins to set specific deadlines and customized user notifications (e.g., a restart countdown) while the device handles the download and installation logic locally.

3. Hexnode UEM Agent app

The Hexnode UEM App is a client-side application that bridges the gap between Apple’s native restrictions and enterprise needs.

Installation Logic

• macOS: The agent is installed automatically alongside the MDM profile.
• iOS: The app installs automatically upon enrollment.

Key functions in Hexnode

• Location Tracking: Native MDM cannot perform real-time tracking. The Agent app uses the device’s GPS services (requiring user permission) to fetch location data and report it to the console.
• Messaging: The Agent acts as a secure inbox for admin messages, storing a complete history of communications that users can review at any time.
• Enterprise App Catalog: It provides a self-service kiosk where users can view and install apps approved by the organization.
• Compliance Monitoring: Users can open the app to check their device’s compliance status (e.g., verifying if their passcode meets complexity requirements).
• Remote View:
  • iOS: Facilitates screen sharing (Remote View) for troubleshooting.
  • macOS: Works with the Hexnode Remote Assist app to enable full remote control.

Summary of Architecture