What’s next for MDM?

Katie English, Director of Product Strategy at Jamf, started this seminar from the end: "At the end of the session," she said, "the goal is that everyone will be overcome with optimism that MDM is going to help them solve the problems that they really care about."

But first, a brief history of MDM

"Prior to the MDM protocol," said English. "the only Apple devices you were managing were Macs. When those Macs were managed by the Casper Suite, at enrollment they would get some local binaries, those local binaries would have root privileges, and they would be able to retrieve data about the Mac to send back to a Management Server on a defined schedule. They'd also be able to tell the local client to take programmatic action by downloading packages and running local scripts. We called this the 'forced pull' device management."

Eventually, iPhones changed everything. And Jamf developed Mobile Device Management capabilities. "The change in management style was necessitated by iOS almost never being physically connected to an actual network, and also by its heavily sandboxed system architecture."

Gone was an agent with root-level access periodically contacting a management server. MDM necessitated push notifications.

A device that maintains a persistent connection to Apple pings their core services, and asks Apple to have the device 'phone home' to receive a setting, install a command, or install an app.

MDM 101

"This is MDM 101," said English. "The tech we've been using alongside the Jamf Management Framework for nearly 13 years." As a matter of fact, Jamf Pro still uses binary-related pull actions and MDM push commands.

The future of device management

"Of course," said English, "the protocol has gotten some new tricks since then. We've got heaps of commands, tons of granular settings."

Enter Apple's announcement in 2021: "The future of device management is declarative management." This is really quite definitive.

"So here we are, a year after that," said English, "and Apple is continuing to invest in this new Declarative Management protocol, which thankfully operates right alongside traditional MDM."

Legacy MDM workflows

"Remember that traditional MDM relies on a device having a persistent connection to Apple, and a management server asking Apple to have a managed device 'phone home' to receive a command or a query," said English.

An example:

• The command might be "update your OS."
• Then the subsequent query might be, "What's your OS right now?"
• An admin might then ask again to ensure the command went through correctly: "How about now? How about I check again tomorrow?"

Traditional MDM means admins get acknowledgments when commands have been received or completed, and we can get a lot of information back from the device when we ask.

"But we have to ask," said English. "Repeatedly. And we get a lot of duplicative information back. Repeatedly." For commands that are complex or contain conditional workflows, the flow of information back and forth increases. Asking your management server to parse that information and possibly perform calculations against the changes can trigger resulting commands and queries.

How does Declaration Management work?

Declarations are the polar opposite and can send far more detailed up-front instructions that tell the device how to behave under a set of conditions. That set of instructions combines with status reporting to alert the management server when certain values change on the device.

"So, rather than the frequent polling and verbose responses and reactive MDM actions based on what the device eventually reports in response to queries," continued English, "the management server can simply compose a set of instructions, send that to the device, then the device can behave autonomously without nearly as much traffic back to MDM." And it does this, she pointed out, without nearly as much calculation-intensive behavior on the management server itself to tell the device what to do next.

"With that single sparse value update for that device record," English continued, "the management server can do whatever additional processing needs to do in regard to remediation workflows, enabling or restricting access to organizational data, that kind of thing."

Jamf started with basic declarations and status updates in Jamf Pro 10.42 last year and offered them in Jamf School earlier this year. Jamf has now taken the next step to adopt software updates by declarations, now available in Jamf Pro , and coming soon to Jamf School.

English used software updates as a way to illustrate where things are going, walking attendees through workflows to update software as well as the ways Apple has pushed it a step further with:

• Client-side notifications
• The ability for users to update ahead of the target enforcement time
• The ability for users to schedule the update with local client logic

English expects that Apple will iterate enhancements to this functionality as they move forward, reminding admins that a few years ago they were probably using policies or scripted commands to invoke the softwareupdate binary. Now, after the advent of the first M1 Mac, the behavior has changed. Authentication requires an MDM bootstrap token and updated OS, and/or a user password for local user-initiated updates.

"Unattended policies triggered by a script or by a local agent with root privileges basically went away," said English.

What's next: Apple evolves

English surmises that this change may mark the beginning of a trend. "Programmatic access to certain binaries will continue to be deprecated in favor of 'MDM should do it instead' or 'the end user has to interact with admin rights to make it happen.'"

"It's easy to see," continued English, "particularly from a security perspective, why Apple would make these choices. Say a user inadvertently downloads an app with malware bundled in it. When they install it, the payload wants to access a local binary outside of the app bundle to change its privileges or get access beyond the app sandbox. If you have to stop and enter a password to do it, that might just be enough friction to prevent the ultimate invocation of that malicious binary action."

The industry has also seen a similar change regarding kernel extensions and the extra burden required for an end user to install them without MDM intervention.

"Administrative actions will increasingly require proper administrative tooling," said English. "I predict that you're gonna need MDM to do more things that you're used to scripting."

Degrees of management

As further evidence of this trend, English pointed to the BYOD workflow, with User Enrollment that has a deliberately limited subset of MDM functionality and visibility. "Management can do some stuff," she said, "but user data is ignored, and user choices aren't arbitrarily overridden by a management command."

So what conclusions could we draw from account-driven workflows, consumer devices, and the future of MDM? The key is Managed Apple IDs. They unlock many new workflows, and their functionality will evolve.

English believes that the industry will continue to see degrees of management as enabled by Apple IDs.

"The amount and kind of management applied to a device is necessarily getting more complicated," said English. "It's not as cut and dry as it used to be: full management or nothing at all. There's an acknowledgment that end users are getting pretty savvy and may object to the collision between personal data and work data, and that MDM has to offer experiences that mix and mingle enterprise needs with consumer desires."

Trusted Access

Trusted Access, English believes, will become a declaration rather than a series of reactions— making it easier and more secure.

At Jamf, Trusted Access is the combination of management and security solutions that ensures the right people on the right devices have the right access to resources in your organization. "This is something that we at Jamf care about a great deal," says English, "and if you haven't already checked out our webpage, you should."

"As admins, we are really used to security being a reactive process, said English. "As Declarative Management matures and offers more arbitrary interactions, admins will be able to simply define the state for compliance and devices won't be able to deviate from it."

All of this means that MDM, by way of enhancements with Declarative Management, will permit admins to make devices more secure by default, and staff will know more quickly when a vital condition changes.

What's next: Jamf extends

"So while Apple continues to evolve MDM," said English, "let's talk a little about what Jamf will be doing to turn raw functionality into problem-solving for admins."

Apple has given Jamf many opportunities this year.

"I've talked about Trusted Access, which is sort of a holistic approach to manage and secure devices, but to zero in on a more specific example, I'm just going to pick a specific feature available this year, which is the Return to Service command."

English then walked attendees through how this command has changed and how it enhances workflows for Jamf Pro and Jamf School.

Jamf has also, she pointed out, been able to enhance existing tools like Self Service with these new opportunities which makes these tools even easier to use and even more effective.

What's next: Don't panic

“[Declarative Management] is the next direction. I don't think it will affect what I do too much. Overall WWDC was a bunch of bright shiny toys I won't get to play with.”

— a Jamf customer, during a UX Research interview

"I sympathize," English admitted. "Change can be really quite unsettling, and some organizations actively discourage it. I also was a change-averse admin, and scripting literally everything was totally okay with me. But I am hoping that we can start to shake off the worry about change— because how MDM is evolving, change is actually pretty cool."

English believes that even skeptical or fearful Apple admins will see the value in MDM's evolution.

MDM, English says, will be:

• More secure (by permitting declarations to set compliance out of the box, and by limiting programmatic interactions with low-level binaries)
• More native (by enabling end-user interactions based on declarations)
• More useful over time (by iterating on the already strong foundation of MDM with DDM)

You're not alone!

In addition, Jamf is here to help you use MDM to solve real problems, just as we have with Software Updates and Return to Service. Jamf helps admins to adopt new features more quickly by optimizing our architecture to iterate and deliver features faster. And Jamf enables you to manage and secure your Apple devices to your specific organization's standards.