In Declarative Device Management there is the Get Server Supported Declarations endpoint that is sent via an MDM Check-In request. Is this supposed to return all of the declarations supported by the server, or only the ones that are intended for the device making the request?
This seems like a bad choice of naming for that endpoint and, if my assumption is correct it should be named more along the lines of "Get Device Declarations"
Or am I fundamentally misunderstanding DDM and our server should be sending all declarations we have to the device and the device controls them via activations? This seems counter to the pitch around scalability and performance improvements that DDM offers if we have to send literally everything to the device even if it's known to not be needed, and similarly if the device doesn't support it but the server does then obviously(?) the server shouldn't send it to the device.
The declarations-items
endpoint in the DeclarativeManagement
CheckIn request returns the set of declarations assigned to the device making the request. The device will use that list to synchronize the set of declarations from the server.
It is up to you to decide what to send to the device. One option is to filter the set of declarations to only those that are expected to be active on the device. The other option is to send declarations that use activations to ensure only those relevant to the device are active.
For example, say you have one set of declarations for iPads, and one set for iPhones. You could create separate activations for each set with predicates that only evaluate to true for the corresponding hardware. You could then choose to send both sets of declarations to the device and let it decide what gets applied. Or, since the server does know the type of device hardware, it can choose to only send the set of declarations relevant to that hardware.
Things get trickier when the factor that controls which sets of declarations to use is more "dynamic". e.g. sets that depend on the passcode compliance state, or the OS version, or some external factor such as a user role. Those are the situations where predicates work best, allowing the device to quickly switch between sets without having to sync the active set each time. Yes it does mean more up front work to provision all possible sets to the device, but there is then less work required when switch sets.