Creating Declarative Device Management (DDM) Update Policy for Supervised iOS Devices in Microsoft Intune
Apple's Declarative Device Management (DDM) framework provides faster and more reliable iOS software update delivery than legacy MDM policies. Microsoft Intune supports DDM update policies for supervised iOS devices enrolled via Apple Business Manager or Apple School Manager. Configuration requires supervised device status, compatible iOS version, and appropriate Intune admin permissions. This entry covers prerequisites verification, policy creation, assignment, and validation steps.
Indicators
- Organization requires faster, more reliable iOS update deployment beyond legacy MDM update policies
- iOS devices in Intune are not receiving software updates in a timely or consistent manner
- Need to enforce specific iOS version targets across managed supervised devices
- Legacy MDM update policies showing inconsistent deployment success rates
Likely causes
- Legacy MDM update policies lack the speed and reliability of Apple's DDM framework, resulting in inconsistent update delivery
- Absence of a DDM update policy configuration in Intune leaving devices unmanaged for OS updates
- Devices not enrolled as supervised, preventing DDM policy applicability
- iOS version on target devices does not meet Apple's minimum DDM support requirements
Diagnostic steps
-
Navigate to Intune portal: Devices > iOS/iPadOS > select target device > Overview. Confirm the 'Supervised' field shows 'Yes'.DDM update policies only apply to supervised iOS devices; unsupervised devices cannot receive DDM policies.
-
Review device inventory in Intune portal: Devices > iOS/iPadOS > select device > Overview. Check iOS version meets Apple's minimum DDM support requirements.DDM requires a minimum iOS version; devices on older firmware cannot use DDM update policies.
-
Navigate to Devices > Update policies for iOS/iPadOS. Review existing update policies to identify any legacy MDM update policies assigned to the same device groups.Identifies potential policy conflicts between legacy MDM update policies and the new DDM update policy.
-
Verify Intune admin account has sufficient RBAC permissions by checking role assignments under Tenant administration > Roles. Confirm 'Update' or 'Create' permission for iOS/iPadOS update policies.Ensures the administrator can create and assign DDM update policies without permission errors.
-
Navigate to Microsoft 365 Intune Center: Devices > Update policies for iOS/iPadOS. Confirm the DDM update policy (Declarative Device Management) option is available.Validates that the Intune tenant and portal version expose the DDM policy configuration option.
Resolution path
- Sign in to the Microsoft 365 Intune Center (intune.microsoft.com) with an account that has Intune administrator privileges.
- Navigate to Devices > Update policies for iOS/iPadOS and select the option to create a new DDM update policy (Declarative Device Management update policy).
- Configure the DDM update policy settings: specify target iOS version, update scheduling window (time of day, days of week), and any deferral settings appropriate for your organization.
- Assign the DDM update policy to the appropriate Azure AD device or user groups containing the supervised iOS devices that should receive the policy.
- Save and deploy the policy.
- Monitor deployment status under the policy's assignment status to confirm devices receive and apply the DDM update configuration.
Prevention
- Ensure all iOS devices are enrolled as supervised via Apple Business Manager or Apple School Manager from initial deployment, so DDM update policies can be applied immediately without re-enrollment.
- Regularly audit Intune update policy assignments to ensure DDM policies are assigned to all supervised iOS device groups and no conflicting legacy update policies exist for the same devices.
- Maintain a staged rollout approach for DDM update policies by assigning to a pilot group first, verifying update success, then expanding to broader device groups to prevent widespread issues.
- Document minimum iOS version requirements for DDM support and monitor device inventory for devices requiring firmware upgrades before policy assignment.
Tools
- Microsoft Intune portal / Microsoft 365 Intune Center (intune.microsoft.com) — primary management console for creating and assigning DDM update policies
- Apple Business Manager or Apple School Manager — required for supervised device enrollment
- Azure Active Directory — for device/user group assignment of policies