Managing Software Updates with MDM

Last updated December 6, 2021

In this article, we discuss how to forcibly delay software updates on devices, how to remotely install software updates, and the different options for controlling the software update experience for end-users.

Deferring OS Software Updates

Apple provides MDM with multiple options for delaying software updates and OS updates on devices. These can be found within the native Restrictions profile in SimpleMDM:

So what do these options do?

The “OS update delay” options prevents the ability to install operating system updates for up to 90 days after Apple publicly releases the update.

Example #1: Delaying major macOS updates

Goal: Let’s say that you want to prevent your managed Macs from updating to macOS Monterey so you have time to test and ensure compatibility with all of your business apps and processes. 

Solution: Use the “macOS major OS update delay” option to specify the number of days after the Monterey public release until you want users to be able to install the OS update.

For example, if you set “macOS major OS update delay” to “90 days”, Mac users won’t be able to install the macOS Monterey update until 90 days have passed since the public release, which occurred on October 25th, 2021. This means your users won’t be able to install macOS Monterey until January 23, 2021.

Example #2: Allowing macOS security updates for prior OS versions

Goal: Continuing with our previous example, let’s say you want to prevent users from performing major OS updates, but you want to ensure that your users have access to the most recent security updates for macOS in the meantime. You also still want to test these beforehand, as well. 

Solution: In this scenario, you can set the “macOS minor OS update delay” option to “7 days”. This way you have a week to test security updates before users can install them, but they can still be installed within a reasonable amount of time to ensure you are following security best practices.

Example #3: Delaying iOS updates

Goal: For the sake of our example, let’s say that you are deploying a custom app internally and you want to test your app before your users can upgrade to a newer iOS version, and you need at least 30 days to do so. 

Solution: In this case, you can use the “iOS OS update delay” option and set it to “30 days” to prevent users from updating within a 30 day window from Apple’s public release date. This gives you some time to test your app and ensure functionality before users start upgrading.

Example #4: Delaying macOS app updates

Goal: You want to ensure that you have adequate time to test updates to business apps on macOS before your users can start downloading them.

Solution: Enable the “macOS software update delay” option for the amount of time needed. 

Installing OS Software Updates

SimpleMDM supports multiple options for managing the installation of OS updates on iOS, tvOS, and macOS.

iOS and tvOS software updates:

In order to install iOS and tvOS software updates on devices that are entirely remotely, Apple requires devices to meet certain conditions. These include that the device: has Supervised Mode enabled, has detected an available OS update, has sufficient battery life or is plugged into a power source, is connect to WiFi, and has enough storage capacity to install the update.

It is worth noting that if a device has a passcode set to unlock it when a remote update is sent via MDM, iOS will prompt the user to enter their passcode to allow the installation of the update. The update file is still able to be downloaded without user interaction. If you want to install an iOS update without any user interaction, the device must not have a passcode in place.

There are three ways to initiate an iOS or tvOS update via SimpleMDM:

  1. To upgrade a single device, click on the device to go to the Device Details screen. Next to the “OS version” field, there will be a button available, allowing you to update the iOS version.

If no button is available, the device does not have Supervised Mode enabled and/or has not detected an available update.

  1. To upgrade multiple devices at once, go to the main Devices page. Select the devices you’d like to upgrade and then, from the “Actions” drop down menu in the upper right, select “Update OS Version”.
  2. Use a “Software Update Policy for iOS” profile. This profile allows you to schedule particular time ranges during which devices will check for available iOS updates and download/install them if possible. This profile can be created under Configs > Profiles in the admin interface.

The update command is sent to your device(s) and will update shortly.

It is worth noting that iOS software updates are a multi-step process. In some scenarios, if an OS update was downloaded but did not get installed, you may need to send the “Install Update” command a second time to 

macOS Software Updates:

In macOS Monterey, Apple introduced some new options to give administrators more control over the software update experience on Macs. We will cover these new options as well as review the other related options that exist within MDM.

Software Update Policy for macOS Profile

This profile provides several options for configuring software update settings and controlling software update behavior.

Software Update – System Preferences

This section of the profile allows you to remotely configure the settings that you will find on macOS under System Preferences > Software Updates > Advanced, as well as a few other settings.

Within this section of the profile, the following options exist:

Check for updates: when enabled, macOS automatically checks for available software updates.

Download new updates when available: when enabled, macOS automatically downloads software updates.

Install macOS updates: when enabled, macOS tries to install macOS software updates when available. User interaction may still be required.

Install app updates from the App Store: when enabled, macOS tries to install updates for apps installed from the App Store. User interaction may still be required.

Install system data files and security updates: when enabled, macOS tries to install security updates when available. User interaction may still be required.

This section of the profile also features some other options, including:

Allow pre-release software installation: when disabled, users are restricted from installing Apple beta software prior to public release.

Require admin for app installation: when enabled, users are forced to authenticate with admin credentials in order to install apps.

Updates to Display: this option allows admins to control which available update versions are available to the user to install when an update is pushed.

  • All available update versions: allow users to install all available updates.
  • Lowest versioned update only: allow users to install only the oldest available updates (meaning the user can only install the next version available that follows the one currently installed).
  • Highest versioned update only: allow users to install only the most recent available updates.

Managed OS Updates

This section of the profile allows you to initiate remote macOS updates and control the behavior that users see when installing the updates. The options in this section of the profile require macOS 12 or higher.

Mode (select one):

  • Smart Update: Automatically installs updates when macOS deems it to be an opportune time. Updates typically take place overnight while not in-use and plugged in to power.
  • Notify Only: Alerts the user when an update is available, with the option to update. The user sees a prompt notifying them of the update and they choose to proceed with the update or ignore it.
  • Disabled: Do not provoke updates automatically. Updates are not installed automatically and the user does not see a notification.

“Install Update” Command

If macOS detects that a software update is available, you can send a command to install the OS software update as soon as possible. This command requires macOS 12 or higher.

There are two ways to send this command within SimpleMDM:

  1. From the Device Details page (single device): When a compatible device has detected an OS update is available, an “Install Update” button is shown next to the “OS Version” field. Click “Install Update” to push the update immediately.
  2. From the main Devices list (multiple devices): To push an OS update to multiple devices at once, go to the main Devices page, check the box next to the device names, then click “Actions” and select “Update OS version”.

Summary

The options covered in this article provide administrators with a great deal of control over how and when OS and app updates can be installed on managed devices. Whether it is forcibly delaying new updates, pushing new updates, or even controlling which updates users can install, this is possible via SimpleMDM.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • How To: SAML Authenticated Device Enrollments

    By on September 27, 2021
    Read more
  • Using MDM for SOC 2 and ISO 27001 Compliance

    By on April 12, 2021
    Read more
  • Moving MDMs: How to Migrate macOS Devices Between MDMs

    By on December 12, 2019
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now