Hi,
We're implementing a DDM-capable MDM server. A DEP-enrolled, supervised iPad (iOS 26.4.2) successfully completes manifest synchronization but never proceeds to fetch the individual declaration bodies. Looking for guidance on what we might be missing.
Observed flow (from our server logs):
-
We enqueue a DeclarativeManagement MDM command and APNs-wake the device. The command body is: <key>RequestType</key><string>DeclarativeManagement</string> (no Data field)
-
Device acknowledges the command on the Connect endpoint (Status=Acknowledged).
-
Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = tokens We respond 200 with: { "SyncTokens": { "DeclarationsToken": "<sha256-hex>", "Timestamp": "2026-05-19T..." } }
-
Device calls CheckIn with: MessageType = DeclarativeManagement Endpoint = declaration-items We respond 200 with: { "Declarations": { "Activations": [{"Identifier":"...","ServerToken":"v1-..."}], "Configurations": [{"Identifier":"...","ServerToken":"v1-..."}], "Assets": [], "Management": [] }, "DeclarationsToken": "<same-sha256-hex-as-step-3>" }
-
---- Nothing further. ---- No request for Endpoint = declaration/activation/<id> No request for Endpoint = declaration/configuration/<id> No status report on Endpoint = status
The MDM channel is healthy. The same device responds normally to non-DDM commands (DeviceInformation, etc.) immediately before and after this flow.
Questions:
-
Is an empty "Management" array acceptable in the declaration-items response, or is at least one declaration (e.g. com.apple.management. organization-info) required before the device will proceed to fetch declaration bodies?
-
The DeclarationsToken returned in step 3 (tokens) and step 4 (declaration-items) are byte-identical. Is that correct, or should they differ in some way?
-
Are there any additional preconditions for the device to begin fetching declaration bodies after receiving the manifest -- e.g. a specific Activation->Configuration linkage we might be missing?
-
Is there a server-side log signal Apple can suggest we look for, or a way to see why the device decided not to fetch?
Activation payload sample we publish:
{
"Type": "com.apple.activation.simple",
"Identifier": "...",
"ServerToken": "v1-...",
"Payload": {
"StandardConfigurations": ["<configuration-identifier-from-step-4>"]
}
}
Configuration payload sample we publish:
{
"Type": "com.apple.configuration.softwareupdate.settings",
"Identifier": "...",
"ServerToken": "v1-...",
"Payload": { ... softwareupdate settings ... }
}
Any pointers appreciated. Happy to share full server-side logs / payloads if useful.
Thanks.