{"id":1685,"date":"2026-06-14T17:14:17","date_gmt":"2026-06-14T15:14:17","guid":{"rendered":"https:\/\/macadmin.cz\/?p=1685"},"modified":"2026-06-15T16:11:36","modified_gmt":"2026-06-15T14:11:36","slug":"state-of-network-ddm-configurations-in-apple-os-release-27","status":"publish","type":"post","link":"https:\/\/macadmin.cz\/?p=1685&lang=en","title":{"rendered":"State of network DDM configurations in Apple OS release 27"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In <a href=\"https:\/\/developer.apple.com\/videos\/play\/wwdc2026\/206\">What\u2019s new in managing Apple devices WWDC 2026<\/a> video, the presenter empathizes that Device Declarative Management is no longer <strong>the future<\/strong> of Apple Device Management but <strong>the standard<\/strong> of Apple Device Management. Let&#8217;s look at Declarative Device Management  (DDM) changes in Apple OS release 27 to see how this claim fares in reality.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">One blog post covering all configuration areas would be too long, so let&#8217;s scope it down and focus just on network-related config. Two reasons: First, I like network config. Second, in Apple OS release 27, network-related declarative configurations are being <a href=\"https:\/\/support.apple.com\/guide\/deployment\/device-management-updates-depd638aa061\/1\/web\/1.0\">expanded quite a lot<\/a>.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h1 class=\"wp-block-heading\">VPN configurations<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">VPN configuration profile payload <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/vpn\"><code>com.apple.vpn.managed<\/code><\/a> is probably the most complex payload of them all. It allows admins to configure one of several VPN types and additional network settings related to VPN (DNS, proxy, always-on, etc.).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s take a look at how Apple handles the VPN in declarative configuration. There is no longer a single VPN configuration object with several VPN subtypes. Instead, each VPN type has its own configuration object:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>network.vpn.ikev2<\/code> &#8211; Built-in VPN client for generic IKEv2 IPSec VPN<\/li>\n\n\n\n<li><code>network.vpn.always-on<\/code> &#8211; IKEv2 in always-on mode<\/li>\n\n\n\n<li><code>network.vpn.ipsec<\/code> &#8211; Built-in VPN client for (Cisco) IKEv1 IPSec VPN with XAuth support<\/li>\n\n\n\n<li><code>network.vpn.vpn-plugin<\/code> &#8211; VPN functionality facilitated via 3rd party vendor client<\/li>\n\n\n\n<li><code>network.relay<\/code> &#8211; special type of proxy that can be used for remote access and privacy solutions<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">IKEv2 IPSec<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let&#8217;s take a deeper look at <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkvpnikev2\"><code>network.vpn.ikev2<\/code><\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Simple configuration example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>{\n    \"Type\": \"com.apple.configuration.network.vpn.ikev2\",\n    \"Identifier\": \"EB13EE2B-5D63-4EBA-810F-5B81D07F5017\",\n    \"ServerToken\": \"E180CA9A-F089-4FA3-BBDF-94CC159C4AE8\",\n    \"Payload\": {\n        \"VisibleName\": \"Corporate IKEv2 VPN\",\n        \"HostName\": \"vpn.example.com\",\n        \"LocalIdentifier\": \"device@example.com\",\n        \"RemoteIdentifier\": \"vpn.example.com\",\n        \"Authentication\": {\n            \"Method\": \"SharedSecret\",\n            \"CredentialsAssetReference\": \"64BF8F5C-8CFD-40AA-9082-A0B594D4E100\"\n        }\n    }\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In DDM there are no secrets embedded in the configuration. Instead there are references to asset objects.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Apple has done a nice clean up in the configuration structure. Following objects in the declarative configuration aggregate several keys previously found in profile payload <code>VPN.IKEv2<\/code> object. Some of the nested configuration keys have been renamed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Authentication<\/code>:\n<ul class=\"wp-block-list\">\n<li>CredentialsAssetReference (Password)<\/li>\n\n\n\n<li><code>ExtendedAuth<\/code>\n<ul class=\"wp-block-list\">\n<li>CredentialsAssetReference (AuthName and AuthPassword)<\/li>\n\n\n\n<li>Enabled (ExtendedAuthEnabled)<\/li>\n\n\n\n<li>ServerCertificateCommonName (ServerCertificateCommonName)<\/li>\n\n\n\n<li>ServerCertificateIssuerCommonName (ServerCertificateIssuerCommonName)<\/li>\n\n\n\n<li>TLSMaximumVersion (TLSMaximumVersion)<\/li>\n\n\n\n<li>TLSMinimumVersion (TLSMinimumVersion)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>IdentityAssetReference (PayloadCertificateUUID)<\/li>\n\n\n\n<li>IdentityCertificateType (CertificateType)<\/li>\n\n\n\n<li>Method (from AuthenticationMethod)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>Idle<\/code>:\n<ul class=\"wp-block-list\">\n<li>DeadPeerDetectionRate<\/li>\n\n\n\n<li>Disconnect (DisconnectOnIdle)<\/li>\n\n\n\n<li>Timer (DisconnectOnIdleTimer)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>NetworkRouting<\/code>\n<ul class=\"wp-block-list\">\n<li>EnforceRoutes<\/li>\n\n\n\n<li>ExcludeAPNs<\/li>\n\n\n\n<li>ExcludeCellularServices<\/li>\n\n\n\n<li>ExcludeDeviceCommunication<\/li>\n\n\n\n<li>ExcludeLocalNetworks<\/li>\n\n\n\n<li>IncludeAllNetworks<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>OnDemand<\/code>:\n<ul class=\"wp-block-list\">\n<li>Enabled (OnDemandEnabled)<\/li>\n\n\n\n<li>DisableUserOverride (OnDemandUserOverrideDisabled)<\/li>\n\n\n\n<li>Rules (OnDemandRules)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><code>PostQuantumKeyExchange<\/code>:\n<ul class=\"wp-block-list\">\n<li>AllowFallback (AllowPostQuantumKeyExchangeFallback)<\/li>\n\n\n\n<li>PPK<\/li>\n\n\n\n<li>PPKIdentifier<\/li>\n\n\n\n<li>PPKMandatory<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><code>VisibleName<\/code> was renamed from <code>UserDefinedName<\/code> key previously found in VPN object.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>VPN.DNS<\/code> object is now a <code>VPN<\/code> object with some of its child keys renamed:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IdentityAssetReference (PayloadCertificateUUID)<\/li>\n\n\n\n<li>Protocol (DNSProtocol)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><code>VPN.Proxies<\/code> object exists as <code>Proxies<\/code> object<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There appears to be no changes in the functionality but the configuration structure and naming is much better. Apple had a rare opportunity to streamline configuration which was built up in layers since 15 years ago.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other VPN types<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkvpnipsec\">network.vpn.ipsec<\/a><\/code> has been restructured in a way similar to <code>network.vpn.ikev2<\/code>. For example all the XAuth key previously present in <code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/vpn\/ipsec-data.dictionary\">VPN.IPSec<\/a><\/code> now live in a nested object: <code>network.vpn.ipsec -&gt; Authentication -&gt; XAuth<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkvpnalwayson\" data-type=\"link\" data-id=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkvpnalwayson\">network.vpn.always-on<\/a><\/code> configuration is pretty much the same as <code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/vpn\/alwayson-data.dictionary\">VPN.AlwaysOn<\/a><\/code> with <code>VPN.DNS<\/code> and <code>VPN.Proxies<\/code> objects folded in.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkvpnvpnplugin\">network.vpn.vpn-plugin<\/a><\/code> configuration reorganizes keys relevant for 3rd party VPN clients. Functionality appears to be exactly the same.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkrelay\"><code>network.relay<\/code><\/a> configuration is exactly the same as <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/relay\"><code>Relay<\/code><\/a> profile payload object.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There is no <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/vpn\/ppp-data.dictionary\">L2TP\/IPSec<\/a> configuration. While Apple might not have officially deprecated this type (yet), my opinion is that it should be treated as such, and it is unlikely to be added to DDM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second missing VPN type is <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/vpn\/transparentproxy-data.dictionary\"><code>TransparentProxy<\/code><\/a>, which was introduced in macOS 14. Perhaps this one was not prioritized since it works only on one platform.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">App layer VPN configurable with <code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/applayervpn\">AppLayerVPN<\/a><\/code> and <code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/apptoapplayervpnmapping\">AppToAppLayerVPNMapping<\/a><\/code> profile payloads are nowhere to be found in DDM configurations.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Network interfaces<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">There is still no declarative configuration for Cellular, CellularPrivateNetwork, Ethernet and Wi-Fi \ud83e\udd7a<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is especially disappointing for networks with Enterprise authentication since one of the best things about DDM design is the separation of user credentials and actual configuration into two different objects. The goal is for credentials (e.g. client certificate) to be deployed as assets while the actual config (e.g. Wi-Fi configuration) is deployed as a configuration. Dependencies can be created between the two classes of objects (Wi-Fi config requires a client cert for authentication).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With the traditional profile-based configuration deployment, credentials and configurations need to be deployed as payloads within a single configuration profile. A typical example would be a single SCEP payload providing a client certificate and several network configuration payloads (Wi-Fi, Ethernet, VPN) referencing the SCEP payload in order to automatically use the client certificate. This tight dependency means that the profile needs to be deployed and updated as a single unit. Admins need to be really careful since a problem within a single payload (e.g. VPN) prevents the whole profile from being installed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The DDM approach is much more flexible. Each piece could be deployed and updated independently. In practice, the admin could successfully deploy ACME asset providing a client certificate for Ethernet, Wi-Fi, and VPN configurations. A possible problem in VPN configuration wouldn&#8217;t affect the rest.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So perhaps next year.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Other network configurations<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/contentcachingservice\">ContentCachingService<\/a> profile payload is being deprecated in macOS 27 and will be possibly removed in macOS 28. <code><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/contentcaching\">com.apple.configuration.content-cache.settings<\/a><\/code> declaration is supposed to be used instead. Good riddance!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkdnssettings\">network.dns-settings<\/a> configuration is exactly the same as <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/dnssettings\">DNSSettings<\/a> profile payload object.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkdnsproxy\">network.dns-proxy<\/a> configuration is exactly the same as <a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/dnsproxy\">DNSProxy<\/a> profile payload object.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">There is no declarative configuration equivalent for following profile payloads:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/globalhttpproxy\">GlobalHTTPProxy<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/networkproxyconfiguration\">NetworkProxyConfiguration<\/a> (macOS)<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Conclusion<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">In Apple OS release 27, a decent chunk of network-related settings has been added to declarative configurations. Unfortunately, a big part is still missing. The most glaring omission is the absence of configurations for network interfaces.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>In my opinion, DDM can&#8217;t be considered the standard way to configure networks on Apple devices at this time. We are probably many years away from DDM truly becoming the standard.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is an optimistic timeline:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Apple adds the major missing functionality to the DDM spec with OS release 28 (late 2027).<\/li>\n\n\n\n<li>It takes at least a year for Apple to fix bugs and make the DDM network settings usable in production (late 2028).<\/li>\n\n\n\n<li>MDM vendors finally start migrating network config from profiles to DDM (2029-2030).<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In What\u2019s new in managing Apple devices WWDC 2026 video, the presenter empathizes that Device Declarative Management is no longer the future of Apple Device Management but the standard of Apple Device Management. Let&#8217;s look at Declarative Device Management (DDM) changes in Apple OS release 27 to see how this claim fares in reality. One &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/macadmin.cz\/?p=1685&#038;lang=en\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;State of network DDM configurations in Apple OS release 27&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[108,89],"class_list":["post-1685","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-device-management","tag-wwdc"],"_links":{"self":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/1685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1685"}],"version-history":[{"count":16,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/1685\/revisions"}],"predecessor-version":[{"id":1715,"href":"https:\/\/macadmin.cz\/index.php?rest_route=\/wp\/v2\/posts\/1685\/revisions\/1715"}],"wp:attachment":[{"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/macadmin.cz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}