文章介绍了移动设备管理(MDM)和声明式设备管理(DDM)中的“设备通道”和“用户通道”概念。“设备通道”用于在整个设备上应用设置,“用户通道”则针对特定用户账户进行管理。MDM注册后,主账户成为受管用户,其他账户无法通过“用户通道”管理。DDM同样使用这两个概念,并通过Safari扩展管理举例说明了不同平台上使用的具体渠道:iOS和visionOS使用“设备通道”,macOS和共享iPad使用“用户通道”。 2025-9-9 12:46:6 Author: derflounder.wordpress.com(查看原文) 阅读量:4 收藏
Declarative device management user channel and device channel
Mobile device management (MDM) has the concept of what’s referred to as channels, which defines how management settings can be delivered:
- Device channel: Allows MDM settings to be delivered to devices and apply device settings to the entire device.
- User channel: Allows MDM settings to be delivered to user accounts on devices and apply user settings just to the relevant users.
When enrolling a device into an MDM server using device enrollment, a couple of things happen as part of the MDM enrollment process:
- The device becomes a managed device.
- The local user account which installs the MDM enrollment profile becomes a managed user.
There’s additional details on what it means to be a managed user, but one of the most important is that in this context, being a managed user means that the local user account can be managed with settings delivered via the user channel. Other local accounts on the Mac are not able to access the user channel and cannot be managed by user level settings.
Declarative device management (DDM) has these same concepts of device channel and user channel and as far as I can tell, it works exactly the same as it does for MDM:
- Device channel: Allows DDM declarations to be delivered to devices and apply device settings to the entire device.
- User channel: Allows DDM declarations to be delivered to MDM-managed user accounts on devices and apply user settings just to the relevant users.
What this means is that a MDM-managed user account is able to be managed via settings delivered by the DDM user channel and other accounts which are not MDM-managed are not part of the DDM user channel and cannot be managed by DDM user level settings.
An example of DDM management which uses the user channel are the Safari extension management options. If you check the documentation, as of September 9th, 2025, Safari extension management has the following configuration availability listing:
- Allowed in supervised enrollment: iOS, macOS, Shared iPad, visionOS
- Allowed in device enrollment: NA
- Allowed in user enrollment: NA
- Allowed in local enrollment: NA
- Allowed in system scope: iOS, visionOS
- Allowed in user scope: macOS, Shared iPad
This means that DDM Safari extension management is using the device channel on the following Apple platforms:
- iOS
- visionOS
DDM Safari extension management is using the user channel on the following Apple platforms:
- macOS
- Shared iPad
如有侵权请联系:admin#unsafe.sh