Let’s learn Configure Apple DDM Enabled Software Update and Passcode Policies in Intune for iPad iOS and macOS Devices. In Microsoft Intune, Apple’s DDM (Declarative Device Management) is a helpful tool to control software update and passcode policies (and many more settings) on iPad iOS and macOS devices.
This integration makes it easier for users to manage when updates are installed and set up passcode policies that suit their preferences. This collaborative approach ensures that users have more control over their device management experience within the Intune environment.
Declarative device management is the new solution for all your Apple devices. It provides an autonomous and proactive management capability. MDM developers and enterprise administrators are excited about declarative device management.
Many developers have already added this feature to MDM servers, making it easier for everyone to use and manage their devices. DDM is a collaboration between many teams within Apple, aiming to provide solid and safe solutions.
- Best Enhancements in Microsoft Intune to Manage Apple Devices
- Prevent Auto Unlock Mac with Apple Watch using Intune
- Why Accepting Apple New Terms Conditions is Important for Intune Communication
What is DDM?
DDM is a Declarative Device Management. It is the modern solution for managing Apple devices. It introduces an autonomous and proactive management capability. It is Apple’s innovative solution integrated into Microsoft Intune.
How does DDM Enhance Device Management in Intune for Apple Devices?
DDM empowers users to efficiently control software update and passcode policies on iPad iOS and macOS devices. This collaborative approach ensures a more user-friendly and customizable device management experience within the Intune environment.
What is Intune MDM?
Microsoft Intune MDM is a mobile device management service. It is a cloud-based service that allows organizations to manage and secure their employees’ devices. It provides comprehensive tools for managing mobile devices like smartphones and tablets.
Video – Configure Apple DDM Enabled Software Update and Passcode Policies in Intune
We have an informative video showing the differences between Apple’s DDM (Declarative Device Management) and MDM (Mobile Device Management). We will explore what declarative device management means compared to traditional mobile device management and understand the distinctions between the two.
Note! – Now administrators can use MDM commands to install updates on supervised and non-supervised devices
Configure Apple DDM Enabled Software Update and Passcode Policies in Intune
Let’s discuss Intune MDM and Apple DDM and how they handle software updates and password policies in an easy way known as declarative device management (DDM).
Intune Supports Only iPad ios and macOS Devices
Now, you can use MDM (Mobile Device Management) and declarative device management for WatchOS. It offers comprehensive management solutions for a broader range of Apple devices, including not only WatchOS but also other Apple platforms like iOS (for iPhones), iPadOS (for iPads), macOS (for Mac computers), and tvOS (for Apple TVs).
Intune 2310 Updates Bird View
Let’s discuss the Microsoft Intune 2310 updates in an overview. It offers a comprehensive snapshot of the changes and enhancements. The table and screenshot below show the Microsoft Intune 2310 updates bird view.
| Intune 2310 Updates Bird View | Details |
|---|---|
| App management | Android Company Portal app, Minimum SDK version warning for iOS devices, Minimum support for LOB and Store Apps for Apple devices Pre-install and post-install scripts in unmanaged macOS PKG apps Required and Uninstall Group Assignment support for Android (ASOP) LOB Apps. |
| Device configuration | FSLogix settings – Settings Catalog and Administrative Templates. Enhanced Security permissions using delegated scopes for Android Enterprise Devices Samsung ended support for kiosk mode on Android device administrator devices. Import and export settings catalog policies Different lock for device and work profile (Android BYOD). A separate compliance policy for the work profile in future release New Settings for macOS – System Policy App Data and Force On Device Only Dictation |
| Device Management | Remote Help for Android is now Generally Available for Enterprise dedicated devices from Zebra and Samsung. |
| Device security | FSLogix settings – Settings Catalog and Administrative Templates. Enhanced Security permissions using delegated scopes for Android Enterprise Devices Samsung ended support for kiosk mode on Android device administrator devices. Import and export settings catalog policies Different lock for Device and work profile (Android BYOD). A separate compliance policy for the work profile in future release New Settings for macOS – System Policy App Data and Force On Device Only Dictation |
| New MAM – Intune Apps | BuddyBoard and Microsoft Loop |
| Monitor and troubleshoot | GA’d Reports for Policy compliance and Setting compliance |
| Tenant Administration | Intune admin center home page undate |
Passcode using Apple’s DDM
DDM (declarative device management) allows you to install a specific update by an enforced deadline. Asynchronous – Avoid common performance and scalability issues typically associated with serializing commands and polling devices over MDM.
- Devices > Configuration profiles > Create profile > macOS platform > Settings catalog for profile type > Declarative device management.
Software Updates using Apple’s DDM
Declarative device management allows you to install a specific update by an enforced deadline. Asynchronous – avoids common performance and scalability issues typically associated with serializing commands and polling devices over MDM.
- Can coexist with MDM software updates
- Takes precedence over MDM
- Available for macOS, iOS, iPadOS
Declarative Device Management (preview) in Intune for macOS Devices
Sign in to the Intune Admin Center portal https://intune.microsoft.com/. Select Device > macOS > Configuration profiles > Create a profile. In Create Profile, Select macOS in Platform, and Select Profile Type as Settings catalog.
- Click on the Create button.
| Platform | Profile Type |
|---|---|
| macOS | Settings Catalog |
On the Basics tab pane, provide a name for the policy, such as “DDM.” Optionally, you can enter a policy description and proceed by selecting “Next.“
In Configuration Settings, click Add Settings to browse or search the catalog for the settings you want to configure. In the Settings Picker windows, you can see Declarative Device Management (preview) is available.
These settings configure the declarations used by Apple’s declarative device management feature. These settings are separate from older MDM settings and only apply to a device enabled for declarative management. Learn more about declarative management at developer.apple.com.
- If you expand Declarative Device Management, You can see 2 policies: Passcode and Software Update.
- Apple is also working on different policies, including passcode and software updates.
- You can configure these 2 policies in the Intune portal as part of 2310 updates.
Passcode and Software Update Policy under DDM
Under passcode, there are 7 settings. They are Automatic Device Lock, Maximum Grace Period, Maximum Number of Failed Attempts, Minimum Passcode Length, Passcode Reuse Limit, Require Complex Passcode and Require Passcode on Device.
Under the software update policy, 4 settings are available: Details URL, Target Build Version, Target Local Date Time, and Target OS Version.
Software Update Configuration Settings
Software update configuration settings include 4 settings: Details URL, Target Build Version, Target Local Date Time, and Target OS Version. The target build version is to update the Device by the appropriate time, for example, ‘20A242‘. The system uses the build version for testing during seeding periods.
The build version can include a supplemental version identifier, for example, ‘20A242a‘. If the build version isn’t consistent with the target OS version specified in the ‘TargetOSVersion’ key, the target OS version takes precedence.
- Details URL – The URL of a web page shows the organisation’s details about the enforced update.
- Target Local Date Time – The value specifies when to force install the software update. Use the format ‘Y-mm-dd hh:mm:ss0’. Note this format but doesn’t include a time zone offset. If the user doesn’t trigger the software update before this time, the device force installs it. For example, if you want to have an update occur on a user’s devices on November 18 at 12:30 pm, please enter 2023-11-18T12:30:000
- Target OS Version – The target OS version is to update the Device by the appropriate time. This is the OS version number, for example, ‘16.1’. It may also include a supplemental version identifier, for example, ‘16.1.1’.
Declarative Device Management (preview) in Intune for iOS iPadOS Devices
You can easily configure passcode and software updates under Declarative Device Management (preview) in Intune for iOS/iPadOS Devices. For this configuration, Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Select Device> iOS/iPadOS> Configuration profiles > Create a profile. In Create Profile, select iOS/iPadOS in Platform and Settings catalog as the profile type.
The policy we previously explored in macOS is visible within the Settings Picker windows. You can easily spot the same configurations, simplifying the management process across different platforms.
- You can see Declarative Device Management (preview) is available.
The passcode configuration settings include 7 settings options, such as Automatic Device Lock, Maximum Grace Period, Maximum Number of Failed Attempts, Minimum Passcode Length, Passcode Reuse Limit, Require Complex Passcode and Require Passcode on Device.
Passcode Configuration Settings – Automatic Device Lock in Passcode
Specifies the maximum period a user can select, during which the Device can be idle before the system automatically locks it. The Device is locked once this limit is reached, and the passcode must be entered. In the absence of this key, the user can select any period. In macOS, this will be translated to screensaver settings.
| Passcode Configuration Settings | Description |
|---|---|
| Maximum Grace Period | Specifies the maximum period a user can select, during which a device can be unlocked without entering the passcode. A value of 0 implies no grace period and requires a passcode to be entered immediately. In the absence of this key, the user can select any period. In macOS, this will be translated to screensaver settings. |
| Maximum Number of Failed Attempts | Specifies the number of failed passcode attempts that can be made before an iOS device is erased or a macOS device is locked. If you don’t change this setting, the Device imposes a time delay after six failed attempts before a passcode can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS device. A macOS device locks after the last attempt. The passcode time delay begins after the sixth attempt, so if you set this value to six or lower, no time delay is imposed, and the Device is erased when the attempt limit is exceeded. |
| Minimum Passcode Length | Specifies the minimum number of characters a passcode can contain. |
| Passcode Reuse Limit | Specifies the number of failed passcode attempts that can be made before an iOS device is erased or a macOS device is locked. If you don’t change this setting, the device imposes a time delay after six failed attempts before a passcode can be entered again. The time delay increases with each failed attempt. After the final failed attempt, all data and settings are securely erased from the iOS device. A macOS device locks after the last attempt. The passcode time delay begins after the sixth attempt, so if you set this value to six or lower, no time delay is imposed, and the Device is erased when the attempt limit is exceeded. |
| Require Complex Passcode | Specifies the number of historical passcode entries checked when determining whether a new passcode can be used. The Device refuses a new passcode if it matches a previously used passcode within the specified passcode history range. In the absence of this key, no historical check is performed. |
| Require Passcode on Device | Specifies the number of historical passcode entries checked when determining whether a new passcode can be used. The Device refuses a new passcode if it matches a previously used passcode within the specified passcode history range. In the absence of this key, no historical check is performed. |
Scope Tags and Assignments
Scope tags are important in policy creation. If you don’t select a scope tag, then the Default scope tag is automatically set. The assignments tab helps you include or exclude groups. If you want to form groups, click the Add Groups option from the below window.
Review + Create
The “Review + Create” tab offers a comprehensive overview, allowing you to verify and confirm all the specified information before finalizing the creation. It summarises the item’s attributes, ensuring everything aligns with your intended configuration.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Author
About the Author – Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing about Windows 11 and related technologies. She is also keen on finding solutions and writing about day-to-day tech problems.
Thanks for the post, I’ve started to play around with update deadlines. keen to see what our update numbers look like at the next iOS update that has a CVE in it was want to patch in 48 hours.