What is MDM and DDM? Apple Device Management Explained
If you run a business on Apple devices and have started looking into how to manage them properly, you have probably come across the terms MDM and DDM. They sound similar, they are related, but they work in fundamentally different ways.
This guide starts from the beginning with no assumed knowledge and builds up to the real differences between the two, what they mean for your Apple fleet today, and where device management is heading.
What is MDM?
MDM stands for Mobile Device Management. Despite the name, it is not just for mobile phones. MDM is the technology that allows businesses to manage, configure and secure all their Apple devices including Macs, iPhones and iPads from a central platform.
Think of MDM as the control layer between your IT team and every device in your organisation. Without it, every device is essentially independent. With it, you can push settings, enforce security policies, install apps, wipe devices remotely and much more, all without touching the device physically.
MDM was introduced by Apple in 2010 and has become the standard approach to managing Apple fleets in business environments. Every major Apple device management platform including Jamf, Kandji, FleetDM, Intune and others is built on top of the Apple MDM Framework
How does MDM work?
When a device is enrolled in MDM, it establishes a persistent connection with your MDM server. The server can then send commands to the device, and the device reports back its status and compliance.
Here is a simplified version of how that works in practice:
Step 1: Enrolment A device is enrolled in your MDM platform either during initial setup or manually. The most effective way to enrol devices at scale is through Apple Business Manager.
What is Apple Business Manager?
Apple Business Manager is a free web-based portal provided by Apple for organisations. It acts as the central hub that links your Apple devices to your MDM platform automatically.
When you purchase Apple devices through an authorised reseller or directly from Apple, those devices can be added to your Apple Business Manager account before they even leave the warehouse. The moment a new employee turns on their device for the first time, it automatically connects to your MDM platform and begins configuring itself with the right settings, apps and security policies.
This is called Zero Touch Deployment. The device arrives at the employee’s desk, they turn it on, and within minutes it is fully configured and compliant, without an IT engineer needing to touch it.
Apple Business Manager also manages Apple IDs for your organisation, app purchases through Volume Purchase Programme, and content distribution across your fleet.
Once a device is enrolled through Apple Business Manager it trusts the MDM server to send it instructions and cannot easily be removed from management, which is important for security and compliance.
Step 2: Profiles and policies Your IT team creates configuration profiles, which are sets of rules and settings, and pushes them to devices. These might include password requirements, firewall settings, Wi-Fi configurations, app restrictions and more.
Step 3: Commands The MDM server can send commands to devices such as install this app, update the OS, lock the screen or wipe this device. The device receives the command and carries it out.
Step 4: Reporting Devices regularly report back to the MDM server with their current state including what OS version they are running, whether policies are applied and whether they are compliant. This gives IT teams visibility across the entire fleet.
What can MDM do?
MDM gives IT teams a significant amount of control over Apple devices. Common capabilities include:
- Enforcing passcodes, screen lock and encryption
- Pushing and removing applications silently without user interaction
- Configuring Wi-Fi, VPN and email settings automatically
- Restricting access to certain features or applications
- Enforcing OS and security updates
- Remotely locking or wiping lost or stolen devices
- Monitoring device compliance against security policies
- Automating onboarding so new starters receive a fully configured device from day one
For businesses working toward Cyber Essentials, ISO 27001 or similar frameworks, MDM is the primary tool for enforcing and evidencing the required controls across an Apple fleet.
The limitations of MDM
MDM is powerful but it has a fundamental architectural limitation in that it is command-based and server-dependent.
Every action in traditional MDM follows this pattern: the server sends a command, the device waits to receive it, the device executes it and reports back. This works well in most situations, but it creates some real-world problems.
Latency: If a device is offline or has a poor connection, commands queue up and are not executed until the device reconnects. A security policy change might not reach a remote worker’s device for hours.
Scalability: As fleets grow, the volume of commands the server needs to send and track grows with it. Large organisations can experience delays and performance issues at scale.
Reliability: If a command fails silently, the IT team may not know a policy is not applied until they actively check. Compliance drift can happen gradually without anyone noticing.
Complexity: Managing thousands of devices with overlapping profiles and commands can become difficult to audit and troubleshoot.
These are not dealbreakers. MDM has been the industry standard for over a decade and continues to work well for the majority of businesses. But they are the problems that Apple’s newer approach, DDM, was designed to solve.
What is DDM?
DDM stands for Declarative Device Management. Apple introduced it in 2021 as a fundamentally different approach to how devices are managed.
The key difference is this: with MDM, the server tells the device what to do. With DDM, the server tells the device what state it should be in, and the device figures out how to get there itself.
This might sound like a subtle difference but the implications are significant.
How does DDM work?
Instead of sending commands, DDM sends declarations. A declaration is a description of the desired state of the device, not an instruction but a definition.
For example, instead of sending a command that says “install this security profile now”, DDM sends a declaration that says “this device should always have this security profile applied.” The device receives the declaration, understands what it needs to look like, and autonomously works to achieve and maintain that state even when it is offline.
The device also monitors itself continuously. If something changes such as a setting drifting, a profile being removed or an OS update changing a configuration, the device detects the discrepancy and corrects it without waiting for the server to notice and send a new command.
This is the core of what makes DDM different: intelligence moves from the server to the device.
MDM vs DDM: the key differences
| MDM | DDM | |
|---|---|---|
| How it works | Server sends commands to device | Server sends declarations, device self-manages |
| Offline behaviour | Commands queue until device reconnects | Device maintains desired state autonomously |
| Compliance | Server checks and enforces | Device self-monitors and self-corrects |
| Speed | Depends on server response | Near-instant, device acts independently |
| Scalability | Can struggle at large scale | Built for scale |
| Current status | Established standard | Current standard for updates, rapidly expanding across all workflows |
Do MDM and DDM replace each other?
No, and this is an important point. DDM does not replace MDM. It works alongside it.
Apple designed DDM as an extension of the existing MDM protocol. Devices that support DDM can use both simultaneously. MDM handles the commands and interactions that DDM does not yet cover, while DDM takes over the configuration and compliance management that it does better.
Think of it as MDM handling the conversations between server and device, and DDM handling the device’s own internal understanding of what it should look like.
The transition is already well underway. Apple deprecated legacy MDM software update commands in 2025 and will remove them entirely in 2026. DDM is no longer a future consideration for software updates it is the current requirement. For other device management workflows, DDM adoption is expanding rapidly with each OS release.
Which platforms support DDM?
All major Apple MDM platforms now support DDM including Jamf Pro, Kandji, FleetDM and Microsoft Intune. Apple deprecated legacy MDM software update commands in 2025, meaning DDM is now the required method for managing software updates across all platforms, with full removal of legacy commands due in 2026.
To take advantage of DDM your devices need to be running recent versions of macOS, iOS and iPadOS. Older devices or older OS versions fall back to traditional MDM automatically, so there is no disruption during a transition.
What does this mean for your Apple fleet?
If you are setting up or reviewing your Apple fleet management today, here is the practical takeaway.
MDM is the foundation. You need it, it works and every reputable MDM platform supports it well. If you are not yet using MDM to manage your Apple devices, getting that in place is the first priority.
DDM is already the standard for software update management following Apple’s deprecation of legacy MDM update commands in 2025, and is rapidly becoming the standard for all other device management workflows too.
When evaluating MDM platforms, it is worth asking how deeply each platform has integrated DDM support, not just whether they support it, but how much of their compliance and configuration workflow runs through DDM declarations versus legacy MDM commands.
Summary
MDM has been the standard for Apple device management for over a decade. It gives IT teams centralised control over configuration, security and compliance across an entire fleet.
DDM is Apple’s next step, a smarter and more autonomous approach where devices understand what state they should be in and maintain it themselves, with or without a server connection.
For most UK businesses today, MDM is the foundation and DDM is the direction of travel. Getting MDM right now puts you in the best position to take advantage of DDM as it matures.
nDuo manages Apple fleets for UK scale-ups using both MDM and DDM, across Jamf Pro, FleetDM, Kandji and Intune. If you are reviewing your Apple device management setup, we offer a free consultation to assess your current environment and recommend the right approach.