TL;DR: Apple’s declarative device management shifts state management from server-driven polling to device-led enforcement, letting the device report and resolve policy state more autonomously while traditional MDM commands still handle some actions, according to JumpCloud. That changes how IAM and endpoint teams think about control authority, update timing, and visibility.
At a glance
What this is: Declarative device management is Apple’s event-driven management model that shifts more policy logic to the device and improves responsiveness for enterprise fleet control.
Why it matters: It matters because endpoint, NHI, and identity teams need to understand which controls remain server-led, which become device-led, and how that affects governance, auditability, and operational response.
👉 Read JumpCloud's analysis of Apple declarative device management for enterprise fleets
Context
Declarative device management is Apple’s event-driven approach to endpoint control, where the device, not the server, holds more of the logic for evaluating state and reporting progress. That matters because traditional MDM assumes the server must keep asking what changed, which creates delay, noise, and a heavier operational burden for Apple fleet management.
For IAM and security teams, the governance question is not whether Apple devices are managed, but where authority sits during enforcement. DDM reduces the back-and-forth polling model, but it does not remove the need for policy ownership, lifecycle control, or auditability across device identity and access workflows.
Key questions
Q: How should teams govern Apple devices when management shifts to declarative controls?
A: Teams should treat declarative device management as a split-control model, not a replacement for MDM. Define which tasks are enforced locally on the device, which remain server-controlled, and which require audit evidence from both paths. That prevents false assumptions about visibility, escalation, and rollback in Apple fleet operations.
Q: When does declarative management reduce risk rather than create blind spots?
A: It reduces risk when policies are clearly authored, state is verifiable, and the server still retains enough telemetry to confirm compliance. It creates blind spots when teams assume device-led enforcement automatically produces the same level of oversight as server-pushed commands. The deciding factor is audit design, not the label on the management method.
Q: What do security teams get wrong about Apple MDM and DDM coexistence?
A: They often assume that a new declarative layer replaces the older operational model. In reality, Apple still depends on classic MDM for high-impact actions, so governance must account for two enforcement paths. If teams ignore that split, they misclassify where authority, response, and accountability actually sit.
Q: What should organisations do before shifting more Apple management to DDM?
A: They should inventory every Apple control that depends on imperative commands, confirm how declarative state is reported, and test whether update and compliance workflows still meet operational requirements. That preparation matters because device-led management changes timing and visibility, even when policy intent stays the same.
Technical breakdown
Declarative device management vs imperative MDM
Traditional MDM is imperative: the server issues a command, the device executes it, and the server polls for confirmation. Declarative device management reverses much of that relationship by sending desired state, policies, and configuration up front, then letting the device evaluate and act within those boundaries. This reduces round-trips and makes the management loop event-driven rather than request-driven. The key architectural difference is that DDM shifts decision timing closer to the endpoint while the MDM server remains the policy authority for commands that still require central orchestration.
Practical implication: separate workflows that can run declaratively from those that still require imperative control.
Why device-led policy evaluation changes Apple fleet management
DDM makes the device more responsible for determining whether it meets the declared configuration, which is why update status and policy state can become more responsive. That does not make the device independent in a governance sense. It still operates inside server-defined policy, but the runtime loop is less dependent on constant server polling. For security teams, this shifts the control problem from repeated verification to trust in the correctness of the declaration, the policy payload, and the device’s ability to enforce state consistently across macOS, iOS, and iPadOS.
Practical implication: validate which state checks now happen on device and where your audit trail is still sourced from the server.
How DDM and traditional MDM work in parallel
DDM is not a replacement for MDM. Apple still relies on classic MDM commands for actions such as full device wipes, activation lock, and certain enrollment operations. In practice, enterprises end up with a split model: DDM handles ongoing state enforcement and monitoring, while MDM remains the control plane for discrete administrative actions. That hybrid arrangement is important because it prevents teams from assuming that every Apple management task can be moved into the declarative layer. The architecture is additive, not total replacement, which creates governance complexity if teams do not map command types to the right enforcement path.
Practical implication: inventory which Apple controls remain imperative and document the operational handoff between DDM and MDM.
Breaches seen in the wild
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
- LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
DDM is a management model shift, not just a feature update. Apple is moving part of endpoint governance from server-driven command loops to device-evaluated state enforcement. That changes the operational centre of gravity for Apple fleet management because the control plane no longer needs to micromanage every step. Practitioners should treat this as a change in enforcement architecture, not a branding exercise.
Declarative control reduces polling overhead but raises declaration quality as a governance issue. When the device is responsible for interpreting desired state, the accuracy of policies, deadlines, and update rules matters more than ever. The failure mode is not just missed remediation, but inconsistent state interpretation across devices if policy design is weak. Teams should review how declarations are authored, tested, and audited across macOS, iOS, and iPadOS.
DDM and MDM coexistence creates split accountability if teams do not map control ownership clearly. Some actions still depend on classic MDM while others move into the declarative layer, which means governance can fragment between endpoint operations, security, and identity teams. The practical risk is assuming one control model covers all Apple device actions. Practitioners should define where central authority ends and device autonomy begins.
Autonomous behavior in endpoint management does not eliminate identity governance. It changes where identity assurance must be proven. Declarative state enforcement was designed for server-paced command issuance. That assumption fails when the device acts on locally evaluated policy in near real time. The implication is that access, compliance, and audit models must account for device-led enforcement windows rather than only server-initiated actions.
Apple’s move reinforces the wider shift toward zero-touch operating models. DDM aligns with a broader industry pattern where operational control is moving closer to the managed asset. That benefits scale, but it also reduces the visibility teams get from command-by-command oversight. Practitioners should expect more endpoint platforms to adopt event-driven control patterns and should plan governance accordingly.
From our research:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- A separate finding from the same research says only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
- That gap matters for endpoint governance too, because the 2026 Infrastructure Identity Survey shows 70% of organisations already grant AI systems more access than they would give a human employee doing the same job.
What this signals
Declarative endpoint control is part of a wider move toward machine-paced governance. As more operational decisions shift closer to the managed system, teams will need to separate policy intent from enforcement timing. That is especially relevant where Apple fleets sit alongside cloud workloads and AI-adjacent automation, because governance models that assume server-paced control loops will miss the new failure modes.
Device-led enforcement changes the evidence standard for compliance. If the endpoint can resolve state locally, security teams must know what proof still comes from the server and what proof is generated on the device. The practical shift is toward stronger control mapping, not less oversight, because compliance teams cannot audit what they cannot distinguish.
With 70% of organisations already granting AI systems more access than they would give a human employee, per the 2026 Infrastructure Identity Survey, the larger pattern is clear: governance is moving from command-centric administration to bounded autonomy. Declarative device management fits that trajectory, but only if teams can prove where authority ends and delegated execution begins.
For practitioners
- Map declarative and imperative control paths List which Apple management actions now run through DDM and which still require classic MDM commands such as wipes, activation lock, and enrollment operations. Use that map to assign owners for policy creation, enforcement, and exception handling.
- Review policy declarations for auditability Test whether update deadlines, OS targets, and deferral options are traceable in logs and reports after the device evaluates them locally. If the server no longer polls every state change, the audit design must be explicit.
- Align endpoint governance with device-led enforcement Coordinate endpoint operations, security, and identity teams so that declarative state, update enforcement, and compliance checks are all covered by a shared operating model rather than separate assumptions.
- Validate Apple fleet update workflows across platforms Confirm that macOS, iOS, and iPadOS policies behave consistently when using native update notifications, mandatory deadlines, and automatic installation settings.
Key takeaways
- Declarative device management shifts Apple fleet control from repeated server polling to device-led state enforcement.
- DDM does not replace MDM, so teams must govern a parallel model where some actions stay imperative and others become declarative.
- The practical challenge is no longer only update delivery. It is maintaining clear authority, auditability, and ownership across both enforcement paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | DDM changes how endpoint access and state enforcement are governed. |
| NIST Zero Trust (SP 800-207) | Declarative control fits zero-trust style continuous verification and bounded execution. | |
| NIST SP 800-63 | Apple device governance often ties into managed identity and enrollment trust. |
Treat device-led enforcement as a zero-trust control and preserve continuous validation of state.
Key terms
- Declarative device management: A management model where the administrator defines the desired device state and the device evaluates and enforces that state locally. Instead of constant server polling, the device reports progress and compliance against the declaration. The model improves responsiveness, but it also increases the importance of policy quality and telemetry design.
- Imperative management model: A control approach where a central server issues step-by-step commands and expects each action to be executed in sequence. In endpoint management, this creates a tight command-and-confirm loop. The model is familiar and precise, but it can be slower and more operationally noisy than declarative approaches.
- Desired state: The target configuration or operating condition an administrator wants a device to reach and maintain. In declarative systems, desired state replaces many direct commands with policy, rules, and configuration data. The practical challenge is ensuring the declaration is accurate, complete, and auditable across the fleet.
Deepen your knowledge
Declarative device management and Apple fleet governance are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning endpoint control for a mixed enforcement model, it is worth exploring.
This post draws on content published by JumpCloud: Declarative Device Management for Apple Devices. Read the original.
Published by the NHIMG editorial team on 2026-02-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
