You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've submitted a similar ticket to the Center of Internet Security (CIS) for the macOS 14 Sonoma Benchmark, but this should probably be added directly into mSCP as well for organizations that do not pick CIS for their baselines. When building guidance, the documentation that is generated should include verbiage regarding Declarative Device Management; what it is, and how it may affect the organization's ability to use mSCP to audit and/or remediate particular rules within the project.
Written below is a draft that can be used to start a supplemental section for DDM.
Declarative Device Management Supplemental
Apple first announced Declarative Device Management at WWDC 2021 and has since confirmed that future management capabilities will specifically focus on the declarative management feature set.
Per Apple, "Declarative Device Management is an update to the existing protocol for device management that can be used in combination with the existing MDM protocol capabilities. It allows the device to asynchronously apply settings and report status back to the MDM solution without constant polling."
Organizations must ensure that their MDM solution supports this feature to utilize Declarative Device Management. Organizations interested in leveraging Declarative Device Management (DDM) must become familiar with its capabilities and how it will interact with other tools.
A feature of Declarative Device Management is the ability to deploy "Legacy Declarative Configurations." You can use this configuration to download and install profiles with payloads unavailable as declarative configurations. In addition, Declarative Device Management now supports managing already installed MDM profiles without needing to remove them. An MDM server must send and activate a configuration containing the same profile as one already installed by MDM. The Declarative Device Management system will then take over the management of that profile without reinstalling or updating it. At that point, Declarative Device Management owns the profile. Using Legacy Declarative Configurations will result in the configuration data being written out to PLIST files, the same as a configuration profile. With Declarative Management taking over a configuration profile with Legacy Declarative Configurations, MDM will not be able to make changes to it.
When implementing Declarative Device Management, MDM servers will write configuration data into an encrypted data container inaccessible to the device. The current state of a device's Declarative configuration and emitted status items will only be accessible by the MDM. Monitoring and auditing of the settings should be done on the local system against the state of the device.
Only the MDM solution can subscribe to the declarative status channel and reports of devices to be aware of the state of the configurations applied to the system. As a result, security and auditing solutions may have to query the MDM server directly for the state of configurations and compliance instead of scanning the local macOS system for this information. Because Configuration Profiles and Declarative Configurations may live side by side while Declarative Device Management becomes more widely adopted, organizations must decide which is best for the business and be mindful when utilizing both management features.
For macOS 14.0 Sonoma, implementing certain Declarative Configurations may affect the ability to perform auditing or remediation outlined within this benchmark. Organizations may be required to defer to their MDM solution for audit and validation.
Using Declarative Configuration Services: Utilizing this allows for managing System Integrity Protected (SIP) Services, including sshd, sudo, PAM, CUPS, Apache httpd, bash, and z-shell.
Affects (as labeled in Ventura Benchmark): CIS 2.3.3.4, CIS 2.3.3.5, CIS 4.2, CIS 5.4
Passcode/Password Policies.
Affects the entire 5.2 Password Management section (as labeled in Ventura Benchmark).
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I've submitted a similar ticket to the Center of Internet Security (CIS) for the macOS 14 Sonoma Benchmark, but this should probably be added directly into mSCP as well for organizations that do not pick CIS for their baselines. When building guidance, the documentation that is generated should include verbiage regarding Declarative Device Management; what it is, and how it may affect the organization's ability to use mSCP to audit and/or remediate particular rules within the project.
Written below is a draft that can be used to start a supplemental section for DDM.
Declarative Device Management Supplemental
Apple first announced Declarative Device Management at WWDC 2021 and has since confirmed that future management capabilities will specifically focus on the declarative management feature set.
Per Apple, "Declarative Device Management is an update to the existing protocol for device management that can be used in combination with the existing MDM protocol capabilities. It allows the device to asynchronously apply settings and report status back to the MDM solution without constant polling."
Organizations must ensure that their MDM solution supports this feature to utilize Declarative Device Management. Organizations interested in leveraging Declarative Device Management (DDM) must become familiar with its capabilities and how it will interact with other tools.
A feature of Declarative Device Management is the ability to deploy "Legacy Declarative Configurations." You can use this configuration to download and install profiles with payloads unavailable as declarative configurations. In addition, Declarative Device Management now supports managing already installed MDM profiles without needing to remove them. An MDM server must send and activate a configuration containing the same profile as one already installed by MDM. The Declarative Device Management system will then take over the management of that profile without reinstalling or updating it. At that point, Declarative Device Management owns the profile. Using Legacy Declarative Configurations will result in the configuration data being written out to PLIST files, the same as a configuration profile. With Declarative Management taking over a configuration profile with Legacy Declarative Configurations, MDM will not be able to make changes to it.
When implementing Declarative Device Management, MDM servers will write configuration data into an encrypted data container inaccessible to the device. The current state of a device's Declarative configuration and emitted status items will only be accessible by the MDM. Monitoring and auditing of the settings should be done on the local system against the state of the device.
Only the MDM solution can subscribe to the declarative status channel and reports of devices to be aware of the state of the configurations applied to the system. As a result, security and auditing solutions may have to query the MDM server directly for the state of configurations and compliance instead of scanning the local macOS system for this information. Because Configuration Profiles and Declarative Configurations may live side by side while Declarative Device Management becomes more widely adopted, organizations must decide which is best for the business and be mindful when utilizing both management features.
For macOS 14.0 Sonoma, implementing certain Declarative Configurations may affect the ability to perform auditing or remediation outlined within this benchmark. Organizations may be required to defer to their MDM solution for audit and validation.
Using Declarative Configuration Services: Utilizing this allows for managing System Integrity Protected (SIP) Services, including sshd, sudo, PAM, CUPS, Apache httpd, bash, and z-shell.
Affects (as labeled in Ventura Benchmark): CIS 2.3.3.4, CIS 2.3.3.5, CIS 4.2, CIS 5.4
Passcode/Password Policies.
Affects the entire 5.2 Password Management section (as labeled in Ventura Benchmark).
Supportive Links:
Apple Platform Deployment: https://support.apple.com/guide/deployment/welcome/web
Meet Declarative Device Management (WWDC21): https://developer.apple.com/wwdc21/10131
Review declarative configurations for Apple devices: https://support.apple.com/guide/deployment/review-declarative-configurations-depf858becef/web
Beta Was this translation helpful? Give feedback.
All reactions