DDM is a management model shift, not just a feature update. Apple is moving part of endpoint governance from server-driven command loops to device-evaluated state enforcement. That changes the operational centre of gravity for Apple fleet management because the control plane no longer needs to micromanage every step. Practitioners should treat this as a change in enforcement architecture, not a branding exercise.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- A separate finding from the same research says only 44% of organisations have implemented any policies to govern AI agents, even though 92% agree that governing them is critical to enterprise security.
A question worth separating out:
Q: What should organisations do before shifting more Apple management to DDM?
A: They should inventory every Apple control that depends on imperative commands, confirm how declarative state is reported, and test whether update and compliance workflows still meet operational requirements. That preparation matters because device-led management changes timing and visibility, even when policy intent stays the same.
👉 Read our full editorial: Apple declarative device management changes enterprise control models