Questions for Device Management lab: Question: As part of watching the device management session, I made the following note about the new software update configuration options: ----- Introducing new software update configuration - Control default notification behavior - Show notifications only 1 hour before enforcement times and the restart countdown ----- For the new notification behavior, does this mean that you can set the notifications to begin appearing a maximum of one hour before you reach the enforcement deadline? If not, what does this mean? Answer: This is designed for service devices, like a kiosk or Zoom Room, where you don't want a bunch of notifications. Instead, this is designed to minimize notifications in those cases where you just want to enforce updates. Question: As part of watching the device management session, I made the following note: ----- Install IT management tools and other binaries using DDM - Tools and binaries are delivered via .zip archive files. ----- For the delivery mechanism, how does this work? Do you convert a zip file to Base64 encoding and add it to a profile? Also, is there any way to set permissions on the delivered tools and binaries? The reason I'm asking is that normally permissions on files extracted from a zip file aren't preserved. Answer: It's the same thing as the service configuration files introduced for DDM in Sonoma, where configurations for sudo, Apache, SSH, etc can be defined and enforced on a device. This uses a .zip archive stored at a download URL, where the DDM configuration has the URL location referenced. Please see here for an example configuration: https://github.com/macadmins/ddm_examples/blob/main/assets/io.macadmins.asset.zsh.json ----- { "Identifier": "io.macadmins.asset.zsh", "Type": "com.apple.asset.data", "Payload": { "Reference": { "ContentType": "application/zip", "DataURL": "https://files.macadmins.io/zsh-0.0.3.zip", "Hash-SHA-256": "5ae05f6f3e0fa45e73512b716a52b13e5702ffbeeca5784d953257f3d4d696d4" } }, "Authentication": { "Type": "None" } } ----- The read and execute permissions for the tools and binaries would need to be defined prior to creating the zip archive (write permissions do not need to be set as it'll be stored in a tamper-resistant location.) The POSIX permissions will be encoded within the zip, as provided for by the zip standard. For more details, see the following link: https://github.com/apple/device-management/blob/seed_iOS-18.0_macOS-15.0/declarative/declarations/configurations/services.background-tasks.yaml Question: As part of watching the device management session, I made the following note: ----- Install IT management tools and other binaries using DDM - Tools and scripts are installed in a tamper-resistant location ----- Where is the tamper-resistant location? Answer: It's a /var/db location, but I can't find the location right now. Will follow up. You may be able to find out as well by filing feedback. Question: As part of watching the device management session, I made the following note: ---- Disk management configuration - Manage external and network storage - Allows IT admins to define a mount policy: - Allowed - Not allowed - Allowed as read-only ---- For the disk management configuration, is this a global applies-to-all external storage mount policy? Or can it be made more granular? For context, my shop would be interested in allowing external drives that are using Apple's software encryption to secure their data, but block not-encrypted drives. Answer: It is a declarative configuration (DDM). It doesn't have granularity currently, so you can define one configuration for external storage and one configuration for network storage (you could have one configuration which covers both external storage and network storage.) For more details, see the following link: https://github.com/apple/device-management/blob/seed_iOS-18.0_macOS-15.0/declarative/declarations/configurations/diskmanagement.settings.yaml