Tag: Device Management

Categories
MacAdmin

From MCX to DDM: The End of User-Level MDM

If you’ve ever wondered why user-level MDM for macOS feels clunky—or worse, completely irrelevant—in today’s Mac management world, the answer lies deep in the history of how macOS used to handle users, groups, and computers.

The Roots: Open Directory and MCX

Back in the day, macOS management revolved around Open Directory (OD). OD managed objects like users, groups, and computers, along with their apps and settings. The underlying engine for applying those settings was MCX (Managed Client for OS X). If you were around then, you probably remember Workgroup Manager—the GUI tool that made OD administration bearable. It was essentially the visual representation of this entire system.

See for yourself: https://www.apple.com/server/docs/Workgroup_Manager_TB_v10.4.pdf

In that world:

  • Computer-level policy applied at startup and at regular intervals.
  • User-level policy applied at login.

Sound familiar? It should—because when Apple introduced MDM, they didn’t reinvent the wheel. They ported much of this logic from OD to MDM, keeping MCX as the underlying mechanism for applying settings.

From Line-of-Sight to Over-the-Air

OD was a line-of-sight system, similar to how Group Policy works for domain-joined Windows devices in Active Directory. MDM flipped that model on its head, moving to over-the-air management via an MDM server.

Profiles installed at the system level became the equivalent of computer objects in OD. Profiles installed at the user level mirrored user objects in OD.

Here’s the catch: in Workgroup Manager, user objects only applied to OD/LDAP users logging in, not local accounts. When Apple brought this concept into MDM, they assumed a similar relationship—AD/OD/LDAP mobile accounts fetching user-level profiles from MDM, just like OD accounts fetching MCX.

The Bridge That Broke

To make this work for local accounts, Apple built a “bridge.” The idea was simple: tie user-level profiles to the primary local user account on an MDM-managed device. That link was established during enrollment—either by the logged-in user at the time or later via Automated Device Enrollment (ADE) designating the MDM-enabled user.

Fast-forward to today:

  • AD binding and mobile accounts? Dead.
  • Local accounts linked to cloud identity? The new normal.

And that’s where the wheels fall off. User-level MDM on macOS is rigid, confusing, and often more trouble than it’s worth. It’s a relic of a world that no longer exists.

Enter DDM: The Future

With Declarative Device Management (DDM) now taking center stage as “the way forward,” you’d expect it to resolve this issue right?

So far, it seems that DDM configurations which can be deployed in “User Scope” have the same challenge: needing a device management enabled user.

At this point, don’t expect Apple to give the artist formerly known as user-level MDM any love in the DDM world. That code is legacy, and to date, it’s staying that way.

What’s Next For Admins?

If you’re managing Macs heading into 2026, here’s what you should do instead of relying on user-level MDM on macOS:

  1. Simplify Policy Design
    Instead of complex user-level policies, design device-based configurations that can apply to the system and all users on the device. For exceptions, consider app-level controls or conditional access.
  2. Integrate Cloud Identity
    Use identity providers like Microsoft Entra, Okta, or Google Workspace for authentication and access control. See:

    How to Hold macOS User Identity in 2025
  3. Leverage Declarative Device Management (DDM)
    Start testing DDM assets and configurations. It is the next destination for Apple device management and will eventually replace traditional MDM workflows. Use the same system and all user applied workflows so you’re not caught with a user that can’t get the correct settings.

Why Make This Post?

The reason user-level MDM has come up a lot in conversations for me as of late, is its USEFULNESS. Example:

“I want to deploy a unique configuration [like a certificate] to EACH user, when they login”

The Real Problem: user channel/scope management on a fully managed device is best suited for when multiple users can sign into a Mac. The way today we sign multiple users into a Mac doesn’t support user-channel MDM for EVERY user.

To understand its origin, is to understand its purpose, and better have empathy for why its doesnt do what you would expect.

Bottom line: Stop fighting Apple’s tech debt. Embrace system-level management (MDM and DDM) – it’s the sustainable future (for now 😉) of macOS device management.