Additional information about Intune's Update Policies for macOS

Update Policies for macOS is essentially a series of MDM commands deployed to the client in order to schedule and enforce macOS updates.

Device requirements:

• Must be running a supported macOS version.

• Device must be supervised (MDM managed)

The primary MDM command used to schedule and enforce updates is ScheduleOSUpdate.

ScheduleOSUpdate is configured to run one of the available Action items:

InstallASAP
InstallForceRestart
InstallLater ⚠️ Only applicable to minor updates. The number of times an end-user can defer the update is determined by the command’s MaxUserDeferrals key

NotifyOnly
DownloadOnly Not available for major OS updates.

Intune’s Update Policies for macOS is essentially an InstallASAP action command that can be scheduled to run at next check-in or within a particular day-time range.

ℹ️ Because the command handles both the downloading and the installation of the update, there is the potential for long delays and user wait times to occur from when a device receives the ScheduleOSUpdate command and when the update installation is complete. Furthermore, macOS does not provide user-visible progress during the process. The Mac will simply restart when ready.

⚠️ If a Mac is configured to automatically download updates and it receives the install action command for an update that has already been cached or is in progress, macOS will assume that the update is already in progress and consequently not proceed with the installation. To prevent this kind of conflict from occurring, it is recommended that automatic downloads be disabled.

Notes on Install Later

• Install Later deferral is only applicable to minor OS updates

  • Notification prompts occurs at the check-in after the update has been downloaded and prepared

  • Notification prompt is once every 24 hours.

  • The maximum user deferrals count decrements when the user closes the Notification window or clicks Remind Me Tomorrow

  • The final notification for installation bypasses Do Not Disturb

• In combination with software update and deferral settings, roll-out schedule can look like this:

  • Day 1, Apple releases a minor OS update

  • Day 2, pilot devices initiate download and install

  • For Prod devices:

    • Download is initiated on day 7

    • Assuming download is completed and the subsequent check-in is on the same day, user is also prompted to install on day 7

    • If user chooses to defer, they are reprompted on day 8 and 9

    • On day 10 the install is treated as an InstallForceRestart action, with the user presented with a 60 second countdown before reboot.

    • If the user bypasses the deferral countdown (eg. by rebooting when the first notification occurs) the scheduled update policy will still initiate an InstallForceRestart action as soon as the Mac is online outside of business hours.

Other considerations

• MacBooks must be plugged in to power for the background download of updates and upgrades to occur - not sure on whether this applies to .

• In order for the install action to begin, minimum battery % is required. What this minimum % is depends on

  • what type of update is to be installed

  • whether its an Apple Silicon or Intel Mac

  • The priority value of the action command (applies to minor updates and Apple Silicon only)

• Firmware updates are usually bundled with OS updates. They can be kept as Not configured or set to the same settings as that for minor updates.

• All other update types are not expected to require reboots and are therefore set to download and install immediately - which is at next check-in from when update becomes visible to device.

• For major macOS upgrades the InstallASAP action is applied. This command downloads and installs an update as quickly as possible, but waits for blocking applications, to reduce the risk of data loss

Differences between InstallASAP and InstallForceRestart actions