System Updated in iOS 27iOS 27+, macOS 27+ Demo

Declarative Device Management Enhancements (iOS/macOS 27)

iOS and macOS 27 significantly expand declarative device management with new status items, app configuration improvements, consolidated privacy consent prompts, content caching configuration, and enhanced log collection commands. These additions make declarative management the definitive standard for enterprise Apple device management.

DeviceManagementManagedApp

Impact

3/5

What changed from iOS 26

• Device system health status items now expose hardware component state (baseband, camera, Face ID, Touch ID) via the declarative status channel on iOS/iPadOS 27

• New TriggerEnhancedLogCollection MDM command added across iOS, iPadOS, tvOS, and macOS 27

• Consolidated privacy consent prompt introduced for managed apps and Safari websites in iOS, iPadOS, and macOS 27

• Declarative app configuration (ManagedApp framework) expanded to macOS 27, previously only on iOS/iPadOS/visionOS

Why you should care

• New declarative status items (device system health, Lockdown Mode, enrollment type) let MDM servers react to device state changes without polling, dramatically reducing overhead

• Consolidated privacy consent prompts reduce friction for managed app deployments by grouping all permission requests into a single, IT-controlled prompt

• Declarative app configuration now reaches macOS 27 (previously iOS/iPadOS/visionOS only), enabling hardware-bound keys and Managed Device Attestation for enterprise Mac apps

Tiny Demo

Medium

Shows how an MDM-enrolled app reads its declarative management configuration and checks granted privacy permissions using the ManagedApp framework on iOS 27.

import SwiftUI
import ManagedApp

// MARK: - Managed Configuration Reader
// Reads declarative app configuration pushed by the MDM server,
// including privacy consent status granted via the new consolidated prompt.

struct ManagedConfigurationView: View {
    @State private var managedConfig: [String: Any] = [:]
    @State private var privacyConsented: Bool = false
    @State private var configStatus: String = "Loading..."

    var body: some View {
        NavigationStack {
            List {
                Section("Managed Configuration") {
                    ForEach(Array(managedConfig.keys.sorted()), id: \.self) { key in
                        HStack {
                            Text(key)
                                .font(.caption)
                                .foregroundStyle(.secondary)
                            Spacer()
                            Text("\(managedConfig[key] ?? "nil")")
                                .font(.caption2)
                        }
                    }
                    if managedConfig.isEmpty {
                        Text("No managed configuration found")
                            .foregroundStyle(.secondary)
                    }
                }

                Section("Privacy Consent") {
                    Label(
                        privacyConsented ? "User consented via org prompt" : "Consent pending",
                        systemImage: privacyConsented ? "checkmark.shield.fill" : "shield"
                    )
                    .foregroundStyle(privacyConsented ? .green : .orange)
                }

                Section("Status") {
                    Text(configStatus)
                        .font(.caption)
                }
            }
            .navigationTitle("MDM App Config")
            .task {
                await loadManagedConfiguration()
            }
        }
    }

    @MainActor
    private func loadManagedConfiguration() async {
        // ManagedApp.Configuration provides declarative config pushed by MDM
        // This replaces legacy UserDefaults-based managed app config reading
        let config = ManagedApp.Configuration.current

        if let dict = config.dictionary {
            managedConfig = dict
            configStatus = "Declarative config loaded (\(dict.count) keys)"
        } else {
            configStatus = "No declarative config; may be unmanaged device"
        }

        // Check if the organization's consolidated privacy prompt was accepted.
        // When the user taps Allow in the new consolidated prompt, this returns true
        // and your app can proceed without additional permission dialogs.
        privacyConsented = config.privacyConsentGranted
    }
}

// MARK: - App Entry Point
@main
struct ManagedDemoApp: App {
    var body: some Scene {
        WindowGroup {
            ManagedConfigurationView()
        }
    }
}

Source map

What’s new in managing Apple devices

wwdc session · Official

Gotchas

Declarative management requires an MDM server that supports the DDM protocol; existing profile-based MDM configurations are not automatically migrated. The TriggerEnhancedLogCollection command only works on organization-owned supervised devices. Package cleanup on removal (macOS 27) only applies to packages deployed via declarative management, not legacy MDM package commands.

Requirements

MDM enrollment required; some features (device system health status, enhanced log collection) require supervised/organization-owned devices

More iOS 27 APIs land every week.

Get notified when new capabilities are published — no noise, just signal.

All capabilities