Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Get Started
  3. Quick start guides

Category filter

Understanding Declarative Device Management

Jump To

Declarative Device Management (DDM) represents a paradigm shift in how Apple devices are managed. Unlike the traditional “reactive” MDM protocol, which relies on the server constantly polling devices for status updates, DDM enables devices to be “proactive.”

In a DDM environment, the device autonomously monitors its own state and notifies the Hexnode server only when a significant change occurs (e.g., a device becomes non-compliant with a passcode policy). This shifts the logic from the server to the endpoint, resulting in faster updates, reduced network traffic, and increased scalability.

Reactive vs. Proactive Management

To understand the value of Declarative Device Management, it is essential to compare it with the traditional MDM protocol.

Aspect Reactive Approach (Traditional MDM) Proactive Approach (DDM)
Logic Location Server-side. The server asks, “Are you compliant?” Device-side. The device knows the rules and acts on them.
Communication Constant polling (periodic check-ins). High traffic. Asynchronous notifications. The device “pushes” updates only when needed.
Latency High. Status updates wait for the next check-in cycle. Low. Critical updates (e.g., non-compliance) are reported instantly.
Scalability Lower. Large fleets put immense strain on the server. Higher. Server load is significantly reduced.
Autonomy Low. Relies on server instructions. High. Applies policies autonomously.

Key Benefits of DDM for IT Administrators

Hexnode leverages DDM to provide a more robust and responsive management experience:

  • Autonomous Remediation: If a user changes a setting that violates a declaration, the device automatically reverts the change without waiting for a command from Hexnode.
  • Proactive Status Reports: Instead of Hexnode asking “Are you encrypted?”, the device proactively sends a status update the moment encryption status changes.
  • Reduced Server Load: By offloading logic to the device, Hexnode can manage massive fleets (10,000+ devices) with significantly reduced latency.
  • Future-Proofing: Apple is prioritizing DDM for all new management features. Using Hexnode ensures you are ready for the latest iOS, macOS, and iPadOS capabilities.

Core Components of DDM Architecture

Declarative Device Management operates on three foundational pillars: Declarations, the Status Channel, and Extensibility.

1. Declarations

Declarations are JSON-based payloads that define the policy logic. There are four distinct types:

  • Configurations: Similar to standard MDM profiles but sent as JSON. These apply settings (e.g., Wi-Fi, VPN, Restrictions).
  • Assets: Reference data needed to support configurations, such as Identity Certificates or User credentials. A single asset can be referenced by multiple configurations.
  • Activations: The “rules of engagement.” These define when and how configurations are applied (e.g., “Apply this Wi-Fi config only if the device is Company Owned”).
  • Management: Defines what static information the device should report to the server (e.g., Device Model, OS Version).

2. Status Channel

This is the communication pipeline. Instead of the server asking for data, the device uses the Status Channel to proactively push updates. For example, if a passcode is changed or an app finishes installing, the device sends a status report immediately.

3. Extensibility

This ensures forward compatibility. Devices and servers advertise their capabilities to each other. If a device updates its OS and gains a new management feature, it informs the server, which can then utilize that new capability without requiring a full protocol overhaul.

Implementing DDM in Hexnode UEM

Hexnode integrates DDM alongside the standard MDM protocol to enhance efficiency.

Supported Platforms and Requirements

Device Enrollment:

  • macOS: 13.0+
  • iOS / iPadOS / tvOS: 16.0+
  • watchOS: 10.0+
  • visionOS: 1.1+

User Enrollment:

    iOS / iPadOS: 15.0+

Activation and Verification

When a compatible device is enrolled in Hexnode, an activation command is sent automatically after the initial scan.

Action History displays the successful execution of commands to activate Declarative Device Management in the Hexnode UEM console

To verify DDM status:

  1. Navigate to Manage > Devices.
  2. Click on the specific device.
  3. Go to Device Summary > Enrollment Details.
    Declarative Management status in Enrollment details tile under device summary in device details page on Hexnode UEM console
  4. Look for the Declarative Device Management field.
      Note: If inactive, click the refresh icon to retry the activation.

    Initiate Declarative Device Management manually from Hexnode UEM

Current Hexnode DDM Features

Hexnode currently utilizes DDM for the following real-time data points:

  • Password Compliance: Instant notification if a user changes a passcode to a non-compliant one.
  • App Installation (iOS/iPadOS): Real-time status (Pending, Downloading, Installing, Installed, Failed).
  • OS Updates: Real-time tracking of download and installation progress.
  • Battery Health: Periodic reporting of battery metrics.

Troubleshooting DDM Issues

Issue Potential Cause Solution
DDM Status is “Inactive” Device OS is outdated or the initial activation command failed. Ensure the device meets the OS requirements (e.g., iOS 16+). Click the “Refresh” icon in the Device Summary page to re-push the activation command.
Status Updates Not Received Network restrictions or firewall blocks. Ensure the device has access to Apple’s APNs servers and the Hexnode portal URL.
Cannot Disable DDM By design, DDM is persistent. You cannot toggle DDM off while the device is managed. To remove the declarative state, you must disenroll the device from Hexnode.
App Status Lagging Device is in Low Power Mode or asleep. While DDM is proactive, severe device restrictions (battery saving) may slightly delay non-critical updates.

Frequently Asked Questions (FAQs)

Q: Does Declarative Device Management replace the existing MDM protocol?

A: No. DDM coexists with the standard MDM protocol. Hexnode uses traditional MDM commands for actions like “Lock Device” or “Wipe,” while using DDM for status monitoring and autonomous policy application.

Q: Can I use DDM on Android or Windows devices?

A: No. Declarative Device Management is a proprietary framework specific to the Apple ecosystem (iOS, macOS, tvOS, watchOS, visionOS).

Q: What happens if a device goes offline?

A: The device continues to enforce DDM policies locally (e.g., passcode rules). When connectivity is restored, it will push all queued status updates to the Hexnode server via the Status Channel.

Q: Is DDM more secure than traditional MDM?

A: Yes. Because the device evaluates its own compliance locally, it can react to security threats (like removing a passcode) instantly, rather than waiting for the server to detect the issue during the next polling cycle.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Get Started