Mobile Guardian supports Apple Declarative Device Management (DDM) for iOS and iPadOS devices. DDM allows the dashboard to push declarations to devices, which are then enforced locally by the device itself. This means devices respond to policy changes faster and maintain compliance autonomously, even when temporarily offline.
DDM settings are configured within a Profile and apply to all iOS/iPadOS devices assigned to that profile.
What You Will Learn
- What Declarative Device Management is and how it differs from traditional MDM commands
- Where to find DDM settings in the Mobile Guardian Dashboard
- How to configure available declarations (software updates, passcode, accounts)
Prerequisites
- Devices must be running iOS/iPadOS 15 or later (iOS 16+ recommended for full DDM feature support)
- Devices must be supervised (enrolled via Apple Business Manager or Apple School Manager)
- Devices must be enrolled in Mobile Guardian
Note: DDM declarations are only supported on supervised devices. Unsupervised devices will not receive these configurations. Some declarations (such as software update enforcement) require iOS 17 or later.
How DDM Differs from Traditional MDM
| Traditional MDM | Declarative Device Management | |
| How it works | Dashboard sends commands; device waits for instructions | Dashboard sends declarations; device enforces them locally |
| Response time | Device acts at next check-in or push notification | Device applies changes immediately upon receiving the declaration |
| Offline behaviour | Device cannot act until it reconnects | Device continues enforcing declarations while offline |
| Status reporting | Dashboard polls the device for status | Device proactively reports its own status back to the dashboard |
For administrators, the practical difference is that DDM-configured settings are more reliable and faster to take effect, particularly on devices that move between networks or are intermittently connected.
Navigating to DDM Settings
- Log in to your Mobile Guardian Dashboard.
- Navigate to Profiles: Click on “Profiles” in the left-hand navigation panel.
- Select a Profile: Click the pencil icon under the “Actions” column for the profile you want to edit (Baseline or Conditional).
- Open the Declarative Management tab: Click on “Declarative Management” in the profile configuration options.
- Select iOS/iPadOS: Click on the “iOS” tab to view DDM declarations available for Apple devices.
Available Declarations
Software Update Enforcement
Configure automatic OS update behaviour for managed devices. This declaration allows you to enforce update deadlines, preventing students from indefinitely deferring system updates.
Settings:
| Setting | Description |
| Target OS version | The specific iOS/iPadOS version devices must update to (e.g. 18.5). Leave blank to enforce the latest available version |
| Install by date | The deadline by which the update must be installed. After this date, the device will force the update automatically |
| Deferral period (days) | Number of days to delay the update notification after a new version becomes available. Useful for allowing time to test compatibility before school-wide rollout |
| Notification type | Whether to show a notification only, or a notification with a countdown to the forced install |
To configure:
- Under the Declarative Management tab, expand the “Software Update” section.
- Enable the Enforce software updates toggle.
- Set the Target OS version or leave blank for the latest.
- Set the Install by date or Deferral period as required.
- Select the Notification type.
- Click “Save” to apply.
Note: Software update enforcement requires iOS/iPadOS 17 or later. Devices running iOS 16 will receive the update notification but cannot be forced to install by a deadline.
Passcode Policy
Configure device passcode requirements declaratively. When configured via DDM, the device enforces passcode compliance locally rather than waiting for a server check-in.
Settings:
| Setting | Description |
| Require passcode | Whether a passcode is required on the device |
| Minimum length | Minimum number of characters (4-16) |
| Require complex passcode | Whether the passcode must contain letters and numbers (not just digits) |
| Maximum failed attempts | Number of failed passcode attempts before the device wipes (1-11, or disabled) |
| Auto-lock (minutes) | Time of inactivity before the device locks automatically |
| Passcode expiry (days) | Number of days before the user must change their passcode. Set to 0 for no expiry |
| Passcode history | Number of previous passcodes the device remembers, preventing reuse |
To configure:
- Under the Declarative Management tab, expand the “Passcode” section.
- Enable the Require passcode toggle.
- Set the desired values for length, complexity, and timeout.
- Click “Save” to apply.
Note: If you have an existing Passcode configuration in the traditional Passcode tab of the same profile, the DDM declaration takes precedence on devices that support it. Devices on older iOS versions will fall back to the traditional passcode profile.
Account Configuration
Push mail, calendar, and contacts account settings to devices declaratively. This is useful for automatically configuring school email on student devices without manual setup.
Settings:
| Setting | Description |
| Account type | Mail, CalDAV (calendar), or CardDAV (contacts) |
| Display name | The account name shown on the device |
| Server hostname | The mail/calendar/contacts server address |
| Port | Server port number |
| Username | The user’s account identifier (supports variables for per-device values) |
| Authentication type | Password or certificate-based authentication |
| Use SSL | Whether the connection requires encryption |
To configure:
- Under the Declarative Management tab, expand the “Accounts” section.
- Click “Add Account”.
- Select the Account type.
- Enter the server details and authentication settings.
- Click “Save” to apply.
Status Reporting
DDM-enabled devices proactively report their status back to the Mobile Guardian Dashboard. This includes:
- Current OS version
- Whether the device meets passcode requirements
- Software update installation status
- Declaration compliance state
Status information is visible in the device details view:
- Navigate to “Devices” > “All Devices”.
- Select a device to open the device details.
- The Compliance section displays the device’s current status against active declarations.
Note: Status reporting happens automatically. No additional configuration is required beyond enabling DDM declarations in the profile.
Applying DDM Settings to Devices
DDM declarations follow the same profile assignment model as all other Mobile Guardian settings:
- Baseline Profile: DDM declarations in the Baseline apply to all devices assigned to that profile whenever no Conditional profile is active.
- Conditional Profile: DDM declarations in a Conditional profile apply based on time and location parameters, overriding the Baseline while active.
Devices receive updated declarations at the next sync. Due to DDM’s architecture, changes typically apply within seconds of the device receiving the declaration, rather than waiting for a full profile push.
Troubleshooting
| Issue | Likely Cause | Resolution |
| Declaration not applying to device | Device not supervised | Verify the device is enrolled via ABM/ASM and shows as supervised in the device details |
| Software update not enforcing | Device running iOS 16 or earlier | Software update enforcement requires iOS 17+. Update the device manually first |
| Passcode declaration conflicting with existing profile | Both DDM passcode and traditional Passcode tab configured | Remove the traditional passcode configuration from the profile, or ensure values do not conflict |
| Status not reporting in device details | Device on iOS 15 | Full status reporting requires iOS 16+. Consider upgrading the device |
| Declaration showing as pending | Device offline | The declaration will apply automatically when the device reconnects |
Best Practices
- Use DDM software update enforcement to maintain a consistent OS version across your fleet. Set a deferral period of 7-14 days to allow testing before school-wide rollout.
- Where a DDM equivalent exists (passcode, accounts), prefer it over the traditional profile setting. DDM declarations enforce faster and report compliance status automatically.
- Keep one profile responsible for DDM settings per device. Avoid splitting declarations across Baseline and Conditional profiles where possible, as this can create confusion about which settings are active.
- Monitor the Compliance section in device details after deploying new declarations to confirm they have been received and applied.
Please let us know if you found this helpful.
Thanks for reading! 🙂