Kandji Expands Support for Declarative Device Management

Kandji now uses Declarative Device Management (DDM) status reports to track operating system versions and iOS app installations.

In our initial launch of support for DDM for supervised devices, we updated our Passcode Library Item to automatically use configuration declarations for newly enrolled iOS 16 and iPadOS 16 devices. With this latest update, we’ll now take advantage of status reports, one of the most exciting components of DDM.

The original query-based MDM architecture required a server to regularly poll devices for their status: ”Which version of macOS are you running?” “Are you done installing this app?” Now, with status reports, devices can proactively reach out to let MDM know whenever something changes.

Status reports close a big gap in the feedback loop. Previously, a significant period of time—sometimes as much as 24 hours—could elapse without the MDM solution polling a device and learning about such changes. That in turn created challenges for admins who needed to keep their fleets aligned with support and compliance requirements.

Kandji has always tried to balance the need for timely awareness of device states with the network and computational load that frequent polling can impose on devices and servers. With status reports, we can move away from polling mechanisms that attempt to “catch” events soon enough after they occur, and give admins a true picture of their Apple device fleets.

We’ve implemented status reports for two kinds of events that Apple admins care about most: operating system updates and app installation. (Only iOS currently supports the latter.) When a device upgrades its operating system (moving from one major version of the OS to the next, such as macOS 12 to macOS 13) or updates it (moving from one minor release to the next), it will immediately inform Kandji; Kandji will, in turn, update the displayed device information in our web app to match.

Similarly, when installing apps to iOS or iPadOS devices, as soon as that installation is done, the device will tell Kandji, and we will update the status of that Library Item accordingly. The same goes for app updates or app removals. 

With these changes, status updates, remediations, and rules evaluations will happen much more quickly than before.

Admins don’t need to do anything to effect this change in their fleets. Just as we did for passcode declarations last fall, we have integrated this update into our existing UI elements and workflows, without you needing to enable anything or learn new operations.