Microsoft Intune + Apple WWDC 2026: DDM Expansion, App Settings, visionOS & What's Coming
Published 27 June 2026 · Apple Platform Management · 12 min read
Apple's Worldwide Developers Conference 2026 delivered a significant wave of platform management improvements that directly impact every organisation running Microsoft Intune to manage Apple devices. From the long-awaited expansion of Declarative Device Management (DDM) into networking, app configuration and software update enforcement, to day-zero Settings Catalog support for iOS/iPadOS and macOS 26, Intune admins have a lot to absorb — and act on — before the autumn OS releases land in production.
This post breaks down what was announced, what it means in practice, and where you should be directing your attention right now. References to the official Microsoft guidance are linked throughout; the primary source is the Intune Customer Success WWDC 2026 overview post.
Background: Why DDM Changes Everything
Traditional MDM — the protocol Apple introduced in iOS 4 and macOS Lion — is a request/response model: the MDM server sends a command, the device executes it, and reports back on the next check-in. For years, Intune check-ins occurred roughly every eight hours for enrolled macOS devices and 15 minutes for managed iOS devices under certain conditions. The model works, but it is fundamentally reactive.
Declarative Device Management, introduced in iOS 15/macOS 12, flips the model. The device receives a declaration — a self-contained description of desired state — and autonomously enforces it. The device also pushes status back to the server proactively via a dedicated Status Channel. No polling. No waiting for the next check-in window.
With WWDC 2026, Apple has extended DDM into several new domains simultaneously. MVP Jan Ketil Skanke (regularly referenced in Intune community discussions) has highlighted that the DDM status channel effectively makes the 15-minute MDM check-in cycle obsolete for configurations that have been migrated to declarative policies — policy enforcement now happens at the device, not on the server's schedule.
DDM vs MDM: Capability Comparison
The table below maps current and upcoming capabilities across the two protocols. Understanding this distinction is critical as you plan your configuration architecture for macOS 26 and iOS/iPadOS 26.
| Capability | Legacy MDM | DDM (Current) | DDM (macOS/iOS 26+) |
|---|---|---|---|
| Software Update enforcement | ⚠ Deprecated in OS 26 | ✔ Supported | ✔ Required path |
| App Settings Configuration (binary/plist) | ✘ | ✘ | ✔ New in macOS 26 |
| Privacy & consent permission management | ✔ PPPC profiles | ✘ | ✔ Declarative PPPC |
| Network configuration (VPN, certificates) | ✔ Profiles | ✘ | ✔ DDM Network (cert-based) |
| Wi-Fi configuration | ✔ Profiles | ✘ | ⚠ Not yet (planned) |
| Package (.pkg) installation | ✔ | ✘ | ✔ Declarative .pkg |
| Package uninstall | ✘ | ✘ | ✔ New in macOS 26 |
| Managed App framework (macOS) | ⚠ Partial | ⚠ Partial | ✔ Extended in macOS 26 |
| Content Caching management | ✔ MDM payload | ✘ | ✔ DDM in macOS 27 |
| Status channel (real-time device reporting) | ✘ (polling only) | ✔ | ✔ Extended |
| Assignment filters support | ✔ | ✘ (previously) | ✔ Now supported |
| Enrollment Time Grouping | ✘ | ✔ GA June 2026 | ✔ |
App Settings Configuration: The End of Third-Party Tooling for Plist Management
One of the most impactful announcements for macOS admins is the introduction of App Settings Configuration via DDM in macOS 26. Historically, deploying application preferences — configuration plists, per-app settings, licence keys stored as preferences — required either an MDM Custom Attribute payload, a script-based approach using defaults write, or third-party tooling such as Mosyle, Jamf's Configuration Profiles editor, or community utilities maintained by people like MVP Rudy Ooms (whose blog at call4cloud.nl has documented many of these workarounds in detail).
App Settings Configuration allows the MDM — in this case Intune — to declaratively deliver binary-format preference data directly to applications. The device enforces the configuration autonomously. Critically, this also extends to privacy permission management: the Privacy Preferences Policy Control (PPPC) payloads that today ship as MDM configuration profiles will gain a DDM equivalent, meaning consent and TCC database permissions can be enforced declaratively with real-time status reporting rather than waiting for a profile push and reboot cycle.
DDM Network Configurations: Certificate-Based Auth, Not Wi-Fi (Yet)
Apple has begun moving network configurations into the declarative model, but it is important to set expectations correctly: Wi-Fi profiles are not part of this initial DDM network expansion. What macOS 26 introduces is support for certificate-based authentication configurations and related network identity declarations. This is meaningful for organisations using 802.1X with SCEP or PKCS certificate delivery, where the relationship between a certificate declaration and the network configuration that relies on it can now be expressed declaratively.
MVP Peter van der Woude has written extensively about certificate delivery strategies in Intune and the dependency chain between SCEP profiles and network access. The DDM network configuration work begins to address these dependency ordering issues — the device can understand that a network configuration requires a certificate and manage that dependency natively.
Wi-Fi profile support via DDM is on Apple's roadmap but was not announced for macOS/iOS 26. Until it ships, Wi-Fi profiles will continue to deploy via traditional MDM payloads. Plan your configuration architecture accordingly — do not architect a pure-DDM policy stack for networking yet.
Faster Intune: The DDM Status Channel Makes 15-Minute Check-Ins Obsolete
For iOS/iPadOS devices, the traditional MDM architecture has meant policy enforcement is tied to check-in cycles. Even with push notifications and the relatively frequent 15-minute MDM check-in for managed devices, there has always been a lag between a policy change in the Intune admin centre and its enforcement on the device.
The DDM Status Channel changes this fundamentally. When a configuration is delivered as a declaration, the device enforces it autonomously and reports status back proactively — not on a polling schedule. For DDM-based policies (software updates, DDM network configurations, App Settings, declarative package installations), the notion of a check-in cycle is architecturally irrelevant. The device self-reports compliance state as it changes.
This has direct implications for your compliance policy architecture. If you have conditional access policies gating resource access on device compliance, and those compliance checks rely on Intune receiving up-to-date device state, DDM-based reporting is inherently faster than MDM polling. As more policy types migrate to DDM — which is clearly Apple's and Microsoft's stated direction — you should expect the admin experience of near-real-time compliance visibility to become the norm rather than the exception.
Declarative Package Management: .pkg Install and Uninstall
macOS 26 extends the DDM Managed App framework to include support for declarative .pkg installation and — notably — package uninstall. Package uninstall has been a persistent pain point in macOS management. The MDM protocol has never provided a native uninstall mechanism for .pkg-based software; administrators have historically needed to ship uninstall scripts, rely on app removal tools, or manage removal through the app's own uninstaller.
Declarative package management addresses this by expressing the desired state of a package (installed or not installed) as a declaration. The device is responsible for achieving and maintaining that state. If the desired state is "not installed" and the package is present, the device removes it.
The Managed App framework extension to macOS also brings macOS closer to feature parity with iOS/iPadOS in terms of app lifecycle management — installation, update, and removal — through a unified declarative model. MVP Michael Niehaus, whose work on Windows Autopilot and Intune device preparation is well-known, has noted in community discussions that the convergence of macOS management toward a model resembling modern Windows management (desired state, self-remediation, proactive reporting) is a significant architectural shift for cross-platform endpoint teams.
Software Update Migration: MDM Deprecated in Apple OS 26
This is the most operationally urgent item from WWDC 2026: Apple has deprecated MDM-based software update management in iOS/iPadOS 26 and macOS 26. Organisations that are still using legacy MDM software update commands — ScheduleOSUpdate, restriction-based deferral profiles, or the older Update-focused MDM commands — must migrate to DDM-based software update declarations before their device fleet upgrades to OS 26.
Microsoft's Intune Customer Success team published dedicated guidance on this migration: Support Tip: Move to Declarative Device Management for Apple Software Updates. The key action is to migrate your iOS/iPadOS and macOS update policies in Intune from the legacy "Software Updates" configuration type to the DDM-backed update policies.
Content Caching Moving to DDM in macOS 27
Content Caching — Apple's on-network caching service that reduces bandwidth consumption for OS updates, App Store downloads, and iCloud content — is currently managed via an MDM payload. Apple has signalled that Content Caching management will move to DDM in macOS 27. This is a forward-looking item: no immediate action is required for macOS 26 deployments.
However, if your organisation uses Content Caching in managed deployments (common in education and large enterprise environments with bandwidth constraints), note this upcoming migration. The DDM-based Content Caching configuration will offer better state reporting and autonomous enforcement of caching settings, replacing the current payload-based approach.
visionOS and tvOS: ADE Enrollment and Enrollment Time Grouping
Apple Vision Pro running visionOS gains full support for Automated Device Enrollment (ADE) via Apple Business Manager/Apple School Manager in this cycle. This is a significant step for enterprise visionOS deployments — previously, the management story for Vision Pro was more limited. ADE support means visionOS devices can be enrolled into Intune at first boot with supervision, without requiring user interaction beyond initial setup.
tvOS similarly gains ADE enrollment improvements, relevant to organisations managing Apple TV devices in conference rooms, digital signage, or education environments.
Alongside ADE, both platforms benefit from Enrollment Time Grouping (ETG), which reached General Availability for iOS/iPadOS and macOS at the end of June 2026. ETG allows Intune to assign devices to specific Entra ID groups at enrollment time — before the device completes setup — so that the correct policy set is applied from the very first check-in. This eliminates the enrollment gap where a device is enrolled but not yet in the correct group, and therefore receives default or incorrect policies during initial setup.
Day-Zero Settings Catalog Support for iOS/iPadOS and macOS 26
Microsoft has committed to day-zero Settings Catalog support for iOS/iPadOS 26 and macOS 26. This means that when Apple releases the public versions of these operating systems in autumn 2026, the new management keys and restrictions introduced in those releases will be available in the Intune Settings Catalog on launch day — no waiting weeks or months for Microsoft to surface new Apple MDM keys.
The official day-zero support announcement from Microsoft's Intune Customer Success team explains the process: Microsoft works alongside Apple's beta cycle to ensure Settings Catalog entries for new keys are built and validated before the GM release. For admins, this means you can begin building and testing Settings Catalog profiles for OS 26 features during the beta cycle itself.
This is particularly valuable given the volume of new DDM-based configuration options arriving with OS 26. Rather than shipping MDM restriction profiles and waiting for Settings Catalog parity, you can build your OS 26 policy stack in the Settings Catalog from day one.
DDM Policies Now Support Assignment Filters
A previously frustrating limitation of DDM-based policies in Intune was the absence of Assignment Filter support. Assignment Filters — which allow policies to be targeted based on device properties such as OS version, device model, enrollment profile name, or custom attributes — are a core part of Intune's targeting architecture. Their absence from DDM policies meant that organisations managing heterogeneous Apple fleets had to use separate policy assignments for DDM configurations rather than the elegant filter-based targeting available for traditional MDM profiles.
This limitation is now resolved. DDM policies in Intune now support Assignment Filters, bringing them to feature parity with MDM-based policies for targeting purposes. If you have worked around this limitation with duplicate policies or nested group structures, you can now simplify your policy architecture using filters.
What to Do Now: Priority Action List
| Priority | Action | Timeline |
|---|---|---|
| Critical | Migrate Apple software update policies from MDM to DDM in Intune | Before OS 26 rollout (autumn 2026) |
| High | Implement Enrollment Time Grouping for ADE deployments | Now — GA available |
| High | Review Assignment Filter configuration for DDM policies | Now — feature available |
| Medium | Pilot OS 26 beta with Settings Catalog policy testing | Summer 2026 (beta cycle) |
| Medium | Plan migration of PPPC profiles to declarative DDM equivalents | When macOS 26 reaches GA |
| Medium | Evaluate declarative .pkg deployment for new macOS app deployments | When macOS 26 reaches GA |
| Low | Note Content Caching DDM migration (macOS 27) — no immediate action | Plan for 2027 |
| Low | Evaluate visionOS/tvOS ADE enrollment if applicable to your fleet | As needed |
Further Reading and Official References
- Microsoft Intune and Apple Platform Updates: What to Expect After WWDC 2026 — Intune Customer Success, Tech Community
- Support Tip: Move to Declarative Device Management for Apple Software Updates — Intune Customer Success, Tech Community
- Day-Zero Support for iOS/iPadOS and macOS 26 — Intune Customer Success, Tech Community
- Manage iOS/iPadOS software update policies in Intune — Microsoft Learn
- Manage macOS software update policies in Intune — Microsoft Learn
- Enrollment Time Grouping in Microsoft Intune — Microsoft Learn
- Use the Settings Catalog to configure settings in Microsoft Intune — Microsoft Learn
This post covers features announced at or following WWDC 2026. Some DDM capabilities described are tied to the macOS 26 and iOS/iPadOS 26 release cycle and will surface in the Intune admin centre in parallel with Apple's beta and GA release schedule. Always validate against your specific Intune tenant configuration and test in a pilot group before broad deployment. Post current as of 27 June 2026.