fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Support all DDM payload types

Open harrisonravazzolo opened this issue 6 months ago • 7 comments

  • customer-olympus: TODO: @kc9wwh
  • customer-redwine: https://us-65885.app.gong.io/call?id=4784171323633370203&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A720%2C%22to%22%3A757%7D%5D
  • customer-rosner: TODO

Problem

DDM represents Apple's future direction for device management, offering significant performance, scalability, and flexibility. There are four domains of DDM - activations, assets, management, configuration

Currently, Fleet only has support for some of the subdomains in the configuration scope and my organization would like to deploy others to leverage the more complex capabilities/logic of the DDM protocol.

What have you tried?

Try uploading a DDM payload that is unsupported, such as assets

Image Image

Potential solutions

No potential solutions.

What is the expected workflow as a result of your proposal?

As an IT admin I expect to be able to deploy this payload type to my hosts.

harrisonravazzolo avatar May 20 '25 16:05 harrisonravazzolo

Not allowing asset declarations is also a blocker for customers to adopt Background Task Management introduced in macOS 15. This is captured in #25911.

cc: @harrisonravazzolo

ddribeiro avatar May 27 '25 22:05 ddribeiro

Linked to Unthread ticket:

Inquiry about Declarative Device Management support in Fleet #6326

Sampfluger88 avatar May 29 '25 15:05 Sampfluger88

  • customer-olympus: TODO
  • customer-redwine: TODO
  • customer-rosner: TODO

@harrisonravazzolo @zayhanlon can you please add Gong snippets for olympus, redwine, and rosner?

noahtalerman avatar Jun 11 '25 18:06 noahtalerman

@pintomi1989 re: Redwine and Rosner

zayhanlon avatar Jun 12 '25 13:06 zayhanlon

Hey @noahtalerman - Just put in the Gong snippet for customer-redwine. Next meeting with customer-rosner is coming up in early July, at which point I will get a snippet from them as well

pintomi1989 avatar Jun 13 '25 14:06 pintomi1989

EDIT: I spoke too soon! Sorry. We're still waiting on redwine and rosner Gong snippets. @pintomi1989 I assigned it back to you.

~~Hey @pintomi1989 just a reminder to add the :product label which will put this on the drafting board so it goes through unpacking the why.~~

noahtalerman avatar Jun 13 '25 17:06 noahtalerman

Hey @noahtalerman - No worries! The redwine snippet is in there already, just waiting on customer-rosner's meeting in early July, at which point I will attach that recording as well. We need a customer-olympus snippet, but I believe they work with @kc9wwh

pintomi1989 avatar Jun 13 '25 17:06 pintomi1989

Per the Jun 2025 Apple IT Developer Summit, there should be more urgency at Fleet around DDM. See: https://docs.google.com/document/d/1R9aobf44cf3JOTkbxNZjQit6LkxZtQc_9yOEstvNFzs/edit?tab=t.0

I think we should reconsider the priorities laid out here: https://github.com/fleetdm/fleet/blob/5d0209e53d9ba4b911474f8b6d6bc763d0461a43/docs/Contributing/research/mdm/apple-user-channel.md?plain=1

@noahtalerman @georgekarrv @allenhouchins @harrisonravazzolo

customer-reedtimmer has expressed specific needs around the user channel for DDM to manage Safari here: https://fleetdm.slack.com/archives/C052K2LAMCP/p1750951974021899

{
  "Identifier" : "blah.blah.mac.safari-extensions-push",
  "Type" : "com.apple.configuration.safari.extensions.settings",
  "Payload" : {
    "ManagedExtensions" : {
      "com.pushSecurity.browserExtension.Extension (TeamID)" : {
        "PrivateBrowsing" : "AlwaysOn",
        "State" : "AlwaysOn",
        "AllowedDomains" : [
          "*"
        ]
      }
    }
  }
}

The extension host application is installed on the target host via VPP successfully. I'm not seeing the declaration listed on the MDM profile in System Settings. I've verified that DDM is working in general on the same host by pushing a passcode settings configuration that does successfully show up on the MDM profile.

Fleet reports – and has reported for over 7 days – that it is still 'verifying' this config.

https://developer.apple.com/documentation/devicemanagement/declarativemanagementcommand https://support.apple.com/guide/deployment/declarative-device-management-manage-apple-depc30268577/web

You enable declarative device management by sending a special device management command to a device. For two Apple devices—Mac, and iPad devices offering Shared iPad—there’s support for multiple users, and you can also assign declarations to the user channel. To enable declarative device management on both the device and the user channel, you need to send a command to each.

nonpunctual avatar Jun 30 '25 13:06 nonpunctual

Hey @noahtalerman - I've added a Gong snippet for customer-rosner

pintomi1989 avatar Jul 08 '25 15:07 pintomi1989

Moved the original issue description here:

Problem

DDM represents Apple's future direction for device management, offering significant performance, scalability, and flexibility. There are four domains of DDM - activations, assets, management, configuration

Currently, Fleet only has support for some of the subdomains in the configuration scope and my organization would like to deploy others to leverage the more complex capabilities/logic of the DDM protocol.

What have you tried?

Try uploading a DDM payload that is unsupported, such as assets

Image Image

Potential solutions

No potential solutions.

What is the expected workflow as a result of your proposal?

As an IT admin I expect to be able to deploy this payload type to my hosts.

noahtalerman avatar Aug 15 '25 16:08 noahtalerman