Blog

What is MDM and DDM? Apple Device Management Explained

What is MDM and DDM? Apple Device Management Explained

If you run a business on Apple devices and have started looking into how to manage them properly, you have probably come across the terms MDM and DDM. They sound similar, they are related, but they work in fundamentally different ways.

This guide starts from the beginning with no assumed knowledge and builds up to the real differences between the two, what they mean for your Apple fleet today, and where device management is heading.

What is MDM?

MDM stands for Mobile Device Management. Despite the name, it is not just for mobile phones. MDM is the technology that allows businesses to manage, configure and secure all their Apple devices including Macs, iPhones and iPads from a central platform.

Think of MDM as the control layer between your IT team and every device in your organisation. Without it, every device is essentially independent. With it, you can push settings, enforce security policies, install apps, wipe devices remotely and much more, all without touching the device physically.

MDM was introduced by Apple in 2010 and has become the standard approach to managing Apple fleets in business environments. Every major Apple device management platform including Jamf, Kandji, FleetDM, Intune and others is built on top of the Apple MDM Framework

How does MDM work?

When a device is enrolled in MDM, it establishes a persistent connection with your MDM server. The server can then send commands to the device, and the device reports back its status and compliance.

Here is a simplified version of how that works in practice:

Step 1: Enrolment A device is enrolled in your MDM platform either during initial setup or manually. The most effective way to enrol devices at scale is through Apple Business Manager.

What is Apple Business Manager?

Apple Business Manager is a free web-based portal provided by Apple for organisations. It acts as the central hub that links your Apple devices to your MDM platform automatically.

When you purchase Apple devices through an authorised reseller or directly from Apple, those devices can be added to your Apple Business Manager account before they even leave the warehouse. The moment a new employee turns on their device for the first time, it automatically connects to your MDM platform and begins configuring itself with the right settings, apps and security policies.

This is called Zero Touch Deployment. The device arrives at the employee’s desk, they turn it on, and within minutes it is fully configured and compliant, without an IT engineer needing to touch it.

Apple Business Manager also manages Apple IDs for your organisation, app purchases through Volume Purchase Programme, and content distribution across your fleet.

Once a device is enrolled through Apple Business Manager it trusts the MDM server to send it instructions and cannot easily be removed from management, which is important for security and compliance.

Step 2: Profiles and policies Your IT team creates configuration profiles, which are sets of rules and settings, and pushes them to devices. These might include password requirements, firewall settings, Wi-Fi configurations, app restrictions and more.

Step 3: Commands The MDM server can send commands to devices such as install this app, update the OS, lock the screen or wipe this device. The device receives the command and carries it out.

Step 4: Reporting Devices regularly report back to the MDM server with their current state including what OS version they are running, whether policies are applied and whether they are compliant. This gives IT teams visibility across the entire fleet.

What can MDM do?

MDM gives IT teams a significant amount of control over Apple devices. Common capabilities include:

  • Enforcing passcodes, screen lock and encryption
  • Pushing and removing applications silently without user interaction
  • Configuring Wi-Fi, VPN and email settings automatically
  • Restricting access to certain features or applications
  • Enforcing OS and security updates
  • Remotely locking or wiping lost or stolen devices
  • Monitoring device compliance against security policies
  • Automating onboarding so new starters receive a fully configured device from day one

For businesses working toward Cyber Essentials, ISO 27001 or similar frameworks, MDM is the primary tool for enforcing and evidencing the required controls across an Apple fleet.

The limitations of MDM

MDM is powerful but it has a fundamental architectural limitation in that it is command-based and server-dependent.

Every action in traditional MDM follows this pattern: the server sends a command, the device waits to receive it, the device executes it and reports back. This works well in most situations, but it creates some real-world problems.

Latency: If a device is offline or has a poor connection, commands queue up and are not executed until the device reconnects. A security policy change might not reach a remote worker’s device for hours.

Scalability: As fleets grow, the volume of commands the server needs to send and track grows with it. Large organisations can experience delays and performance issues at scale.

Reliability: If a command fails silently, the IT team may not know a policy is not applied until they actively check. Compliance drift can happen gradually without anyone noticing.

Complexity: Managing thousands of devices with overlapping profiles and commands can become difficult to audit and troubleshoot.

These are not dealbreakers. MDM has been the industry standard for over a decade and continues to work well for the majority of businesses. But they are the problems that Apple’s newer approach, DDM, was designed to solve.

What is DDM?

DDM stands for Declarative Device Management. Apple introduced it in 2021 as a fundamentally different approach to how devices are managed.

The key difference is this: with MDM, the server tells the device what to do. With DDM, the server tells the device what state it should be in, and the device figures out how to get there itself.

This might sound like a subtle difference but the implications are significant.

How does DDM work?

Instead of sending commands, DDM sends declarations. A declaration is a description of the desired state of the device, not an instruction but a definition.

For example, instead of sending a command that says “install this security profile now”, DDM sends a declaration that says “this device should always have this security profile applied.” The device receives the declaration, understands what it needs to look like, and autonomously works to achieve and maintain that state even when it is offline.

The device also monitors itself continuously. If something changes such as a setting drifting, a profile being removed or an OS update changing a configuration, the device detects the discrepancy and corrects it without waiting for the server to notice and send a new command.

This is the core of what makes DDM different: intelligence moves from the server to the device.

MDM vs DDM: the key differences

MDMDDM
How it worksServer sends commands to deviceServer sends declarations, device self-manages
Offline behaviourCommands queue until device reconnectsDevice maintains desired state autonomously
ComplianceServer checks and enforcesDevice self-monitors and self-corrects
SpeedDepends on server responseNear-instant, device acts independently
ScalabilityCan struggle at large scaleBuilt for scale
Current statusEstablished standardCurrent standard for updates, rapidly expanding across all workflows

Do MDM and DDM replace each other?

No, and this is an important point. DDM does not replace MDM. It works alongside it.

Apple designed DDM as an extension of the existing MDM protocol. Devices that support DDM can use both simultaneously. MDM handles the commands and interactions that DDM does not yet cover, while DDM takes over the configuration and compliance management that it does better.

Think of it as MDM handling the conversations between server and device, and DDM handling the device’s own internal understanding of what it should look like.

The transition is already well underway. Apple deprecated legacy MDM software update commands in 2025 and will remove them entirely in 2026. DDM is no longer a future consideration for software updates it is the current requirement. For other device management workflows, DDM adoption is expanding rapidly with each OS release.

Which platforms support DDM?

All major Apple MDM platforms now support DDM including Jamf Pro, Kandji, FleetDM and Microsoft Intune. Apple deprecated legacy MDM software update commands in 2025, meaning DDM is now the required method for managing software updates across all platforms, with full removal of legacy commands due in 2026.

To take advantage of DDM your devices need to be running recent versions of macOS, iOS and iPadOS. Older devices or older OS versions fall back to traditional MDM automatically, so there is no disruption during a transition.

What does this mean for your Apple fleet?

If you are setting up or reviewing your Apple fleet management today, here is the practical takeaway.

MDM is the foundation. You need it, it works and every reputable MDM platform supports it well. If you are not yet using MDM to manage your Apple devices, getting that in place is the first priority.

DDM is already the standard for software update management following Apple’s deprecation of legacy MDM update commands in 2025, and is rapidly becoming the standard for all other device management workflows too.

When evaluating MDM platforms, it is worth asking how deeply each platform has integrated DDM support, not just whether they support it, but how much of their compliance and configuration workflow runs through DDM declarations versus legacy MDM commands.

Summary

MDM has been the standard for Apple device management for over a decade. It gives IT teams centralised control over configuration, security and compliance across an entire fleet.

DDM is Apple’s next step, a smarter and more autonomous approach where devices understand what state they should be in and maintain it themselves, with or without a server connection.

For most UK businesses today, MDM is the foundation and DDM is the direction of travel. Getting MDM right now puts you in the best position to take advantage of DDM as it matures.

nDuo manages Apple fleets for UK scale-ups using both MDM and DDM, across Jamf Pro, FleetDM, Kandji and Intune. If you are reviewing your Apple device management setup, we offer a free consultation to assess your current environment and recommend the right approach.

Book a free consultation

Apple IT Support Checklist for UK Businesses

Apple IT Support Checklist for UK Businesses

If your business relies on Macs, iPhones and iPads, good Apple IT support is not just about fixing issues when they happen.

It is about giving your team a reliable, secure and well-managed Apple environment that works properly every day.

For most businesses, problems start when Apple devices are treated as an exception. A few Macs get added over time, iPhones are configured differently across teams, and support becomes reactive. Devices work, but only until something breaks, a new joiner starts, or the business needs tighter security and compliance.

This checklist is designed to help UK businesses review whether their Apple environment is properly set up to support growth.

1. Do you have visibility across all Apple devices?

You should be able to answer basic questions quickly:

  • How many Macs, iPhones and iPads are in use?
  • Who is using each device?
  • Which devices are encrypted, compliant and up to date?
  • Which devices are missing apps, policies or security controls?

If you cannot answer those questions easily, your Apple estate is harder to support than it should be.

A strong Apple support setup starts with clear visibility across devices, users and configurations.

2. Is Apple Business Manager set up correctly?

Apple Business Manager should be part of the foundation of your Apple environment.

It helps you bring devices under business control from the start, assign them properly, and make enrolment more consistent for new hardware. Without it, device setup is often manual, slower and more prone to inconsistency.

If your business is growing, Apple Business Manager should not be an afterthought. It should be part of your onboarding and lifecycle process.

3. Are your devices enrolled in Apple MDM?

For most businesses, MDM is what turns Apple support from reactive to proactive.

Without MDM, your team is left managing devices one by one. That usually means:

  • inconsistent settings
  • slow onboarding
  • weak update control
  • limited security enforcement
  • poor visibility when issues occur

With the right MDM setup, you can standardise policies, deploy apps, manage settings, support users more efficiently and reduce repeat issues.

If your Apple devices are not properly enrolled and maintained, support becomes harder, slower and less secure.

4. Is device setup consistent for every new starter?

A new employee should not need a long manual setup every time they receive a Mac or iPhone.

A good Apple IT support process should make sure new users receive devices that are already prepared with:

  • the right apps
  • the right access
  • the right security settings
  • the right restrictions
  • the right support process from day one

If onboarding depends on tribal knowledge or last-minute manual work, it is worth fixing.

5. Do you have a clear joiner, mover and leaver process?

Apple support is not only about devices. It is also about users, access and change.

When people join, change roles or leave, you need a repeatable process for:

Weak lifecycle management creates unnecessary risk and makes support more difficult over time.

6. Are updates and patching under control?

Apple devices are generally straightforward to maintain, but only if patching is managed properly.

You should know:

  • whether devices are updating on time
  • which versions of macOS and iOS are in use
  • whether critical updates are being delayed
  • how exceptions are handled

If updates depend on end users remembering to do them, your environment will drift and support issues will build up over time.

7. Are security settings applied consistently?

Security should not vary from one device to another.

Your Apple environment should have a defined baseline covering areas such as:

  • FileVault and encryption
  • password and authentication settings
  • screen lock policies
  • app permissions
  • device restrictions
  • lost device procedures
  • access control

Consistency matters. The more variation you have across devices, the more support becomes reactive and the harder it is to maintain a secure environment.

8. Can users get help quickly when something goes wrong?

Even in a well-managed environment, users still need support.

The question is whether support is structured properly.

Think about:

  • how users request help
  • how quickly issues are triaged
  • whether Apple-specific issues are understood first time
  • whether recurring problems are identified and reduced
  • whether MDM, access and device issues are handled together

If support is slow, unclear or split across too many teams, productivity suffers.

9. Are you supporting mixed Apple and Windows environments properly?

Many UK businesses do not run Apple alone.

If your organisation uses both Apple and Windows, your support model needs to reflect that reality. Apple devices should not be treated as edge cases inside a Windows-first process.

The goal should be a support setup where Apple devices are managed properly, users get the same quality of experience, and security standards remain consistent across the business.

10. Are you reviewing and improving the environment regularly?

Good Apple IT support is not a one-off project.

Your setup should be reviewed regularly to identify:

  • support bottlenecks
  • repeat device issues
  • outdated policies
  • gaps in onboarding
  • compliance risks
  • opportunities to simplify management

The best Apple environments are maintained over time, not left untouched after the initial setup.

Signs your Apple IT support needs improvement

If any of the following sound familiar, your current setup may need attention:

  • Devices are configured differently across teams
  • New starters take too long to set up
  • Support tickets keep repeating
  • Apple devices are harder to manage than they should be
  • Security settings are inconsistent
  • Your team lacks visibility across the fleet
  • Apple support depends on one person internally
  • Your business has outgrown its original setup

Final checklist

Before you scale further, ask yourself:

  • Are our Apple devices fully visible and properly managed?
  • Is Apple Business Manager set up and being used correctly?
  • Is MDM supporting the environment properly?
  • Are onboarding and offboarding processes consistent?
  • Are updates, apps and policies under control?
  • Can users get fast, specialist support when needed?
  • Is our Apple environment secure, stable and easy to support?

If the answer to several of those questions is no, it is usually a sign that the business needs a more structured Apple support model.

Need help reviewing your Apple environment?

If you want a clearer picture of how well your current setup is working, explore our Apple IT Support service page to see how we help UK businesses support Macs, iPhones and iPads more effectively.

You can also review your wider device management approach through our Apple MDM services if MDM setup and maintenance is one of the gaps.

Book a free meeting